Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-3vt5eatbrh
Target 88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N
SHA256 88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906

Threat Level: Known bad

The file 88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 23:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 23:50

Reported

2024-10-10 23:52

Platform

win7-20241010-en

Max time kernel

119s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cagol.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xousi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xousi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cagol.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\cagol.exe
PID 2104 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\cagol.exe
PID 2104 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\cagol.exe
PID 2104 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\cagol.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cagol.exe C:\Users\Admin\AppData\Local\Temp\xousi.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cagol.exe C:\Users\Admin\AppData\Local\Temp\xousi.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cagol.exe C:\Users\Admin\AppData\Local\Temp\xousi.exe
PID 2116 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\cagol.exe C:\Users\Admin\AppData\Local\Temp\xousi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe

"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"

C:\Users\Admin\AppData\Local\Temp\cagol.exe

"C:\Users\Admin\AppData\Local\Temp\cagol.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\xousi.exe

"C:\Users\Admin\AppData\Local\Temp\xousi.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2104-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2104-0-0x0000000000AC0000-0x0000000000B41000-memory.dmp

\Users\Admin\AppData\Local\Temp\cagol.exe

MD5 3267f77f95f6ffd823c07419eff0565b
SHA1 c22612d2094268833d0749af80418a4659d05809
SHA256 bebf183f2824edba73633af935df56d73e69d8e7149832e04350e14e923a6beb
SHA512 5f9170f85a93d72325ba8b1a8fc79eda4b30da90591136fea90a8268ca30aefb8ea149b1d671669a954cc5548744f657afe2fa0ca90b7147e172ee0715fc8883

memory/2116-17-0x0000000000AD0000-0x0000000000B51000-memory.dmp

memory/2116-18-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0ec6dc88a125dc33ea25b82abde5d8c7
SHA1 178f76cc69bbe0d5d9ebd19391c422fa7c040fa6
SHA256 d6609b7c97ee3e26ffec9ab3a404925d1737b55c62767cfd283a686a77bd3ed3
SHA512 63f2e656c55aab111ee6537a5e1189359fe55fdd326c15bfc585756f8182815a7e8775f0c731a252fc1ee8da04f9a2145c96fe6673b05ee898732d4af0c968c2

memory/2104-9-0x0000000000A10000-0x0000000000A91000-memory.dmp

memory/2104-21-0x0000000000AC0000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 7a8bc1ee5918cc31168dfe1c584ba883
SHA1 8146f27c23cebcc796ecd2b54beb231b240f7a24
SHA256 384586dde887b0f2853cdac6debdc20c9fb7696ac8873940802f9f99fd228985
SHA512 560bda137f39bbfc857c0e0bbe7b04dc1023a17db1b9e73a31c958279d794e98436a9d04208ac818ea808f643390e604e0326db4a56e28f9507ee4b9ea227c54

memory/2116-24-0x0000000000AD0000-0x0000000000B51000-memory.dmp

\Users\Admin\AppData\Local\Temp\xousi.exe

MD5 bfceb569be4bbe6f8a7d3608a62a0fcb
SHA1 3e4b5b803914f96861d4aec7c3b1325d14b2d5bd
SHA256 ab57c53fa96910a3048148b9b55191c2a7d6d172e7b443043771a4c781fcbdaa
SHA512 06a78f8129beca28dab1e8d6f44002d198320b908b3091aabbcd99bd4ed70677493b0a5366439ac90ecbb546fd951a08e4d751eef759d955936a58be3c011f48

memory/2116-37-0x0000000003630000-0x00000000036C9000-memory.dmp

memory/1928-43-0x0000000001010000-0x00000000010A9000-memory.dmp

memory/1928-42-0x0000000001010000-0x00000000010A9000-memory.dmp

memory/2116-41-0x0000000000AD0000-0x0000000000B51000-memory.dmp

memory/1928-47-0x0000000001010000-0x00000000010A9000-memory.dmp

memory/1928-48-0x0000000001010000-0x00000000010A9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 23:50

Reported

2024-10-10 23:52

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\comij.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\comij.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\comij.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bitay.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1528 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\comij.exe
PID 1528 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\comij.exe
PID 1528 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Users\Admin\AppData\Local\Temp\comij.exe
PID 1528 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 1528 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\comij.exe C:\Users\Admin\AppData\Local\Temp\bitay.exe
PID 4468 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\comij.exe C:\Users\Admin\AppData\Local\Temp\bitay.exe
PID 4468 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\comij.exe C:\Users\Admin\AppData\Local\Temp\bitay.exe

Processes

C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe

"C:\Users\Admin\AppData\Local\Temp\88d41523a59169832f153e3d1f7fd23c1fb4d311e459be7e1e40c7b139835906N.exe"

C:\Users\Admin\AppData\Local\Temp\comij.exe

"C:\Users\Admin\AppData\Local\Temp\comij.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\bitay.exe

"C:\Users\Admin\AppData\Local\Temp\bitay.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/1528-0-0x0000000000630000-0x00000000006B1000-memory.dmp

memory/1528-1-0x0000000000910000-0x0000000000911000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\comij.exe

MD5 108c63d7577755867d21299c6a066dc7
SHA1 cce23defb7bfdf6f375a4f2de07b2887e697f050
SHA256 0ad6c86fc240103277bde41baddecedf529b198ef27862933316b6ae165ba1f9
SHA512 c68b2218968bb33af8237698a43c68920e269c1e87a736cc3d3e4bb76425e857f2c5c220b75852a4567551d739a9a71ac0bf1f9a03a31a97f724e634aed00cac

memory/4468-11-0x0000000000B20000-0x0000000000BA1000-memory.dmp

memory/4468-14-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/1528-17-0x0000000000630000-0x00000000006B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0ec6dc88a125dc33ea25b82abde5d8c7
SHA1 178f76cc69bbe0d5d9ebd19391c422fa7c040fa6
SHA256 d6609b7c97ee3e26ffec9ab3a404925d1737b55c62767cfd283a686a77bd3ed3
SHA512 63f2e656c55aab111ee6537a5e1189359fe55fdd326c15bfc585756f8182815a7e8775f0c731a252fc1ee8da04f9a2145c96fe6673b05ee898732d4af0c968c2

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 748b387e3be6c05cc44417375162d4de
SHA1 d09b5ec7a8edb74d921ec97da32db4fb988028cb
SHA256 dbaf7a9c6c784440b3bd2eea97e9077f89d7686e2145185a3882f02d1d2c444a
SHA512 0a9ec7cec82281741b3ce756d3dc1187a23182142dd191562e22ce0425d1cbadb1b5314d9d173712ee7f8d0ea54621706d35533a6b3e66ce32f5d8c059d7ad8f

memory/4468-20-0x0000000000B20000-0x0000000000BA1000-memory.dmp

memory/4468-21-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bitay.exe

MD5 a17cbc8bcecae87c3c7fed46ba671c9a
SHA1 159ac8425a0139a2e5e16aa9f9911dd527bffc78
SHA256 309cdb9a2fc82b5328b5a728066b9f3ccc36fbab806c32c159734348ad516ab7
SHA512 48c0d99c759c7f5a999f2249fa73cad95327561f6cd924472f32cc8b17a8690424436a6f3f4aca820f79b3eb789ee91dd8a39dc8d526a7603794aea8e39c6bd3

memory/4468-43-0x0000000000B20000-0x0000000000BA1000-memory.dmp

memory/116-40-0x0000000000100000-0x0000000000199000-memory.dmp

memory/116-39-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/116-38-0x0000000000100000-0x0000000000199000-memory.dmp

memory/116-45-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

memory/116-46-0x0000000000100000-0x0000000000199000-memory.dmp

memory/116-47-0x0000000000100000-0x0000000000199000-memory.dmp