Malware Analysis Report

2024-11-16 13:25

Sample ID 241009-zpx3bsyara
Target e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN
SHA256 e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fc
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fc

Threat Level: Known bad

The file e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Deletes itself

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-09 20:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-09 20:54

Reported

2024-10-09 20:56

Platform

win7-20240903-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\siahk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\siahk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loguc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\siahk.exe
PID 1120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\siahk.exe
PID 1120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\siahk.exe
PID 1120 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\siahk.exe
PID 1120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1120 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\siahk.exe C:\Users\Admin\AppData\Local\Temp\loguc.exe
PID 2312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\siahk.exe C:\Users\Admin\AppData\Local\Temp\loguc.exe
PID 2312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\siahk.exe C:\Users\Admin\AppData\Local\Temp\loguc.exe
PID 2312 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Local\Temp\siahk.exe C:\Users\Admin\AppData\Local\Temp\loguc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe

"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"

C:\Users\Admin\AppData\Local\Temp\siahk.exe

"C:\Users\Admin\AppData\Local\Temp\siahk.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\loguc.exe

"C:\Users\Admin\AppData\Local\Temp\loguc.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1120-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1120-0-0x00000000003B0000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\siahk.exe

MD5 786edb77e190a3dd81bba6c8fdf6ab19
SHA1 1b6e1e28cfdd258928709f9f52df5e1e5b626e5e
SHA256 854ab8a540def1ae99ee36f6b46d3e0730f3a93a2500e53eaaff01f6bb1bf7d0
SHA512 438a6445375d00ca4400a43324bea5b80e49af641d5bde2ea188b12bcf4a8e5349c27af5ee23dbb17665548e31a8a618a90cfb9336efff246cbf7a32678f1645

memory/1120-7-0x0000000002550000-0x00000000025D1000-memory.dmp

memory/1120-19-0x00000000003B0000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a129f7006d659db178e1b168e315ce17
SHA1 d5afb73a25320a15b22829bdc3605e947d080b1a
SHA256 90bb0f37a3cd9b41352b910ad81fec35c2230c763f6e66f5646cd3e1ca6b500a
SHA512 75988da030b8b745b11a2fb739412ef18a8f6ea0043e537b678668c426ed8494749ea8a13c2c91a9a274d5af519b6ba2115367e371fc1c3066d66609621bec0c

memory/2312-21-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2312-20-0x0000000000030000-0x00000000000B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 79f0faa572994b5ffb98a08b636e34c5
SHA1 7698bad2fc5bd3eeeab1e3e6075eb0157e13b193
SHA256 b46e406c950527d8d96b864eb25c72bc90fd932bd3312bfa8beffd59c7bfcc16
SHA512 1ed6db9ef7d8c5224878f271b0e38c669bbeeeabb05b48e076f364ecd160d04f5232a9e25ad648a637accc2e9b198b79e69d01e2343a59133b4a41088432a38c

memory/2312-25-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2312-24-0x0000000000030000-0x00000000000B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\loguc.exe

MD5 b5d1597c697ba9d2b55573d7bb6dc0a9
SHA1 d8bc43d1b8f0c518bc053e57125f99fec2696e35
SHA256 b6f41f56bae2fdd0ece209869283ccced725426402ca18eaced939e1edb16513
SHA512 83a9b7d2676b154353a72dbb8a8293fe86c487200e887cf2f1f1f0df952eaab0bdd0ff932ee15ddcc3c8c637770791014a28ca9dd820ad616db2b1ce97b9bb79

memory/2312-38-0x0000000002280000-0x0000000002319000-memory.dmp

memory/2984-44-0x0000000000290000-0x0000000000329000-memory.dmp

memory/2984-43-0x0000000000290000-0x0000000000329000-memory.dmp

memory/2312-42-0x0000000000030000-0x00000000000B1000-memory.dmp

memory/2984-48-0x0000000000290000-0x0000000000329000-memory.dmp

memory/2984-49-0x0000000000290000-0x0000000000329000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-09 20:54

Reported

2024-10-09 20:56

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\piuto.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\piuto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\piuto.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\qywog.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1532 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\piuto.exe
PID 1532 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\piuto.exe
PID 1532 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Users\Admin\AppData\Local\Temp\piuto.exe
PID 1532 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1532 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe C:\Windows\SysWOW64\cmd.exe
PID 1448 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\piuto.exe C:\Users\Admin\AppData\Local\Temp\qywog.exe
PID 1448 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\piuto.exe C:\Users\Admin\AppData\Local\Temp\qywog.exe
PID 1448 wrote to memory of 3460 N/A C:\Users\Admin\AppData\Local\Temp\piuto.exe C:\Users\Admin\AppData\Local\Temp\qywog.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe

"C:\Users\Admin\AppData\Local\Temp\e81df4b45caf68c9600fab81448e58af0f865c2f1a93041cdf64456b71e9c1fcN.exe"

C:\Users\Admin\AppData\Local\Temp\piuto.exe

"C:\Users\Admin\AppData\Local\Temp\piuto.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\qywog.exe

"C:\Users\Admin\AppData\Local\Temp\qywog.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 134.190.18.2.in-addr.arpa udp

Files

memory/1532-0-0x00000000001E0000-0x0000000000261000-memory.dmp

memory/1532-1-0x00000000005F0000-0x00000000005F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\piuto.exe

MD5 f6d5aee17541d30bff99dbde86ff3288
SHA1 4cb1b41b41920aaf1dff1e9640762cec330d5456
SHA256 7e08c19e504c9a2d6d4fda28a4297091fd18f86a2839fb7763e79bb6a9a75ca7
SHA512 47b34f75f1466307c910048b716deef858d6bc537e384fe27310df31885491541558d916a001eaec09417e5cbc6d4b6433823499597fd66ba63df48d85e134e9

memory/1448-14-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1448-11-0x00000000003C0000-0x0000000000441000-memory.dmp

memory/1532-17-0x00000000001E0000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a129f7006d659db178e1b168e315ce17
SHA1 d5afb73a25320a15b22829bdc3605e947d080b1a
SHA256 90bb0f37a3cd9b41352b910ad81fec35c2230c763f6e66f5646cd3e1ca6b500a
SHA512 75988da030b8b745b11a2fb739412ef18a8f6ea0043e537b678668c426ed8494749ea8a13c2c91a9a274d5af519b6ba2115367e371fc1c3066d66609621bec0c

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 042ba83e3e713b5ca18eb65317d8f6cc
SHA1 cc3fbfeeea8cee6202f6aa8b34ac95e5296e8b2c
SHA256 0fffbb2a6c3889a616e5d0f56a1555fd204cf37cbe489ec20727eb789631b018
SHA512 b2cd15677794370328d7a90efe5f0418215689e2050878c4069eda5e9e9ef505410f9de90a4c08576fd70a0add9aec74a34ddae539b96c16dd8e754cd97d6734

memory/1448-20-0x00000000003C0000-0x0000000000441000-memory.dmp

memory/1448-21-0x0000000000370000-0x0000000000371000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qywog.exe

MD5 018711cd81a7011dc8908bf1811a96b5
SHA1 4e903b2500870f01703b2e0410864544f83d19c7
SHA256 072c2e725034e191447fcac4aea2033e67b1e486be2c7996e2d4df2f7f58fa3b
SHA512 77fcca97e98a31eec6a8218c812d5441dbc5da2668b459e7749088608f116edec5fffbc3f70d54172dc45e566c76a298cc53b24a02b290d5e8e4601711ed6503

memory/3460-42-0x0000000000520000-0x0000000000522000-memory.dmp

memory/1448-44-0x00000000003C0000-0x0000000000441000-memory.dmp

memory/3460-39-0x00000000005D0000-0x0000000000669000-memory.dmp

memory/3460-41-0x00000000005D0000-0x0000000000669000-memory.dmp

memory/3460-46-0x00000000005D0000-0x0000000000669000-memory.dmp

memory/3460-47-0x00000000005D0000-0x0000000000669000-memory.dmp