Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-akyqmasblf
Target c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N
SHA256 c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002

Threat Level: Known bad

The file c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 00:16

Reported

2024-10-10 00:19

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\suhis.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\suhis.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\suhis.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\buibt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\suhis.exe
PID 4928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\suhis.exe
PID 4928 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\suhis.exe
PID 4928 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 4928 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\suhis.exe C:\Users\Admin\AppData\Local\Temp\buibt.exe
PID 924 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\suhis.exe C:\Users\Admin\AppData\Local\Temp\buibt.exe
PID 924 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\suhis.exe C:\Users\Admin\AppData\Local\Temp\buibt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe

"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"

C:\Users\Admin\AppData\Local\Temp\suhis.exe

"C:\Users\Admin\AppData\Local\Temp\suhis.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\buibt.exe

"C:\Users\Admin\AppData\Local\Temp\buibt.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

memory/4928-0-0x00000000006B0000-0x0000000000731000-memory.dmp

memory/4928-1-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\suhis.exe

MD5 891aec2a52c84672b4ba8c233aa2d87a
SHA1 1c47b3f9cc860b13e76cd5050ee170606fad34fa
SHA256 446b7b35a26c8f96ea3676ff0458d3aae2bce96d398192695c6241a978ece0ac
SHA512 eef21d26fa37733c91280b4902a0be16b0f7546fdb2b07177637cffe1bbf9eafa0bbf2bc448173e637a23a6cd7d7b268d9256ef31dd96d2bfd7ffa114de9a712

memory/924-11-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/924-14-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/4928-17-0x00000000006B0000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0724ffceef07fee872724738577bcf31
SHA1 f356ffa6edaf7df7c94346713a9da4331d0afa4b
SHA256 b5540356d410b430d518472dbbfab405deb8a5d6899a175e481567f9bb67a216
SHA512 03ec26b0757ae6cd4f80f85e2c901a2af386467aaee152c1eac210212fcde3c5de3c7e1609080d88ed1a2b2d32c9aaf37a126f3e64614d530dc7e64ca2f70522

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 9779f548674c033aa1fde60405f6c3d2
SHA1 75977e67934695de14b728e33a562e43ccdc45c0
SHA256 76033fc7d26e3ecad23de053732637968c76cb872a43e1ae005ae654b406c312
SHA512 bb00eb4260f8c7e70296c5a00e879e3526ce5fad4e79c4cb25550611eb782264ab570b65cb6c1aa09d2665a4d877dfff36431b3616895ab9f9e0d5979d100852

memory/924-20-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/924-21-0x0000000000F60000-0x0000000000F61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\buibt.exe

MD5 7b0dbd18bdbbab4bab4857cec16332a9
SHA1 85c7f708c9f19677e680683250c91434bced9d95
SHA256 63c35908b930213563e343233555ecf75517e073d06b30259e3217fb3b0a10d8
SHA512 e3a8f02aa48907049d0fd2b43c2d552c6b88251f94bf460255faaa3c6ce65880797e4e8732cbe7af50d2b8f2f25c9a9b35cf5944dea1009a305da78c7becbda6

memory/928-39-0x00000000009E0000-0x00000000009E2000-memory.dmp

memory/928-38-0x00000000001D0000-0x0000000000269000-memory.dmp

memory/924-41-0x0000000000560000-0x00000000005E1000-memory.dmp

memory/928-42-0x00000000001D0000-0x0000000000269000-memory.dmp

memory/928-47-0x00000000009E0000-0x00000000009E2000-memory.dmp

memory/928-46-0x00000000001D0000-0x0000000000269000-memory.dmp

memory/928-48-0x00000000001D0000-0x0000000000269000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 00:16

Reported

2024-10-10 00:19

Platform

win7-20240903-en

Max time kernel

119s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ruvuj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hoxib.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hoxib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ruvuj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\ruvuj.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\ruvuj.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\ruvuj.exe
PID 2168 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Users\Admin\AppData\Local\Temp\ruvuj.exe
PID 2168 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 2168 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ruvuj.exe C:\Users\Admin\AppData\Local\Temp\hoxib.exe
PID 1824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ruvuj.exe C:\Users\Admin\AppData\Local\Temp\hoxib.exe
PID 1824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ruvuj.exe C:\Users\Admin\AppData\Local\Temp\hoxib.exe
PID 1824 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\ruvuj.exe C:\Users\Admin\AppData\Local\Temp\hoxib.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe

"C:\Users\Admin\AppData\Local\Temp\c33a5ff32a21f5caa615f5675a2106f565400e177273ee5af113c2cdfe765002N.exe"

C:\Users\Admin\AppData\Local\Temp\ruvuj.exe

"C:\Users\Admin\AppData\Local\Temp\ruvuj.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\hoxib.exe

"C:\Users\Admin\AppData\Local\Temp\hoxib.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2168-0-0x0000000000C70000-0x0000000000CF1000-memory.dmp

memory/2168-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\ruvuj.exe

MD5 21e0df4ad940c678813fb58e95272cc1
SHA1 b6dc12aa329e7d338176bdf7684bb5ec9b2f0655
SHA256 08d6d2de7497ae6724657e15a5acbd9c66e775bda81e5773f1611ea88bd7617d
SHA512 cd9fd414082e6b4024a6902818f8953e825e2bd1878dbd28d22a69b3f62214398e042140ca84f7c980006765cddef2a324ccb575675d86f5be0517504f6b3da8

memory/2168-7-0x0000000000BE0000-0x0000000000C61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 0724ffceef07fee872724738577bcf31
SHA1 f356ffa6edaf7df7c94346713a9da4331d0afa4b
SHA256 b5540356d410b430d518472dbbfab405deb8a5d6899a175e481567f9bb67a216
SHA512 03ec26b0757ae6cd4f80f85e2c901a2af386467aaee152c1eac210212fcde3c5de3c7e1609080d88ed1a2b2d32c9aaf37a126f3e64614d530dc7e64ca2f70522

memory/1824-12-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1824-11-0x0000000000160000-0x00000000001E1000-memory.dmp

memory/2168-21-0x0000000000C70000-0x0000000000CF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 04eff1da14f48809e43f1ece015b1c8c
SHA1 b04376b3699a0eabf6b88385b274d2a761b76bed
SHA256 b38c6f2917fc1142c59e967d5def46fd5551de01b5cfaf640a5eb2d7bf4e2f3f
SHA512 34577dc0edcb3a75f5dc930f241786d2eba3abea480436470dcef739961b4faeefd7aa7b41ac88578b9762e6f28c7cb323452b1bf50b4ac3b1247edb3b66c58a

memory/1824-24-0x0000000000160000-0x00000000001E1000-memory.dmp

memory/3008-42-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/1824-41-0x0000000000160000-0x00000000001E1000-memory.dmp

memory/3008-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hoxib.exe

MD5 18f745d0a6fa037db7637b2b6d266234
SHA1 6c944685d43a38bdce8bcb83caf7e7899887791e
SHA256 59fb44e298f490d98ea49cd7c6e21da95600762e62f56d2c57eeaa8234e11465
SHA512 dc35b7a85f825df42dde4276df8302b528d972200971850d315a2afe2b016d93ae35de59faf7816fa5e045770ee56e9636c2aa3be6d2254124b7002e64873a43

memory/1824-37-0x0000000003550000-0x00000000035E9000-memory.dmp

memory/3008-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/3008-48-0x0000000000DE0000-0x0000000000E79000-memory.dmp