Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-d3l2bswgqa
Target 32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N
SHA256 32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9

Threat Level: Known bad

The file 32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 03:32

Reported

2024-10-10 03:34

Platform

win7-20240903-en

Max time kernel

120s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vuuzm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\duovt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\duovt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vuuzm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\vuuzm.exe
PID 2972 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\vuuzm.exe
PID 2972 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\vuuzm.exe
PID 2972 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\vuuzm.exe
PID 2972 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2368 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\vuuzm.exe C:\Users\Admin\AppData\Local\Temp\duovt.exe
PID 2368 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\vuuzm.exe C:\Users\Admin\AppData\Local\Temp\duovt.exe
PID 2368 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\vuuzm.exe C:\Users\Admin\AppData\Local\Temp\duovt.exe
PID 2368 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\vuuzm.exe C:\Users\Admin\AppData\Local\Temp\duovt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe

"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"

C:\Users\Admin\AppData\Local\Temp\vuuzm.exe

"C:\Users\Admin\AppData\Local\Temp\vuuzm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\duovt.exe

"C:\Users\Admin\AppData\Local\Temp\duovt.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2972-0-0x0000000000D40000-0x0000000000DC1000-memory.dmp

memory/2972-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\vuuzm.exe

MD5 9f6b370113535aa1eaf6433cd3d9ae45
SHA1 8b14b4fbeb1a7624efe201d3fa0f0c3c8a976d08
SHA256 24ff86e79148c87b68cad6ce4be77a65dc5f28794f6585a45715efe85bcc85a5
SHA512 f2c32f537d7dfc33b4c94ff9003d5f8626702e84a141bc3213ee8618d5571f502d33df65c2e67794f9d5b14199d10f0df687656ced9e641ae0ebe7644cb54cbc

memory/2368-12-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2368-11-0x0000000000C50000-0x0000000000CD1000-memory.dmp

memory/2972-10-0x0000000000C50000-0x0000000000CD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2caa52bcf6a6a165c89037603b1e0422
SHA1 480972ca5827afb9483bed3facd830ca8bcd819d
SHA256 f7ad65b6ff6d3c6b0a861957f9320bec9691dd16f0daca5e4834634bd4605685
SHA512 4d5040e6c469c0ef98cd1afa4c3d1ab3a03e1c89e3bb682af3eb97c71a44e55b3a4d9290e048c2afa830e1a224f706aa6cabdd492b9ec9a5c0cdcc15fada1758

memory/2972-21-0x0000000000D40000-0x0000000000DC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 13d2d94636b9f0baa0649bf101f98e36
SHA1 e23065df66d7f5e81dc1de10b1289102172ff7a6
SHA256 21bad59a0527bb387a36a36f1fe6518fc939b2153954a0f206caf49c717fe4b8
SHA512 231143703b53f4e752d4bf176d1ee2466394647e842e23112055721a1ad2aad42ed5b052eb916c5d1216dba628c2aab9d8fc001e4eec07ad3e71ca473f929bd9

memory/2368-24-0x0000000000C50000-0x0000000000CD1000-memory.dmp

\Users\Admin\AppData\Local\Temp\duovt.exe

MD5 89b2af1f1b013f5f3692427f8e715f37
SHA1 afd03a608c02e2c89d34f6e40e03ceaf698553df
SHA256 badb78f117935c8c4b7813738ca58bbfe0a4194cfb6470b8408a20bbd0920d14
SHA512 114d1cdd2a0f410fcbcde90ae8989b24f5a8d7e046b28cd2154c5d6b34e846c31523bff1043114c58af84f2327d13e698a152ecd31cdacfb34abc3ab8ddc46ef

memory/2368-38-0x0000000003FA0000-0x0000000004039000-memory.dmp

memory/2556-45-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/2556-42-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/2368-41-0x0000000000C50000-0x0000000000CD1000-memory.dmp

memory/2556-47-0x00000000003D0000-0x0000000000469000-memory.dmp

memory/2556-48-0x00000000003D0000-0x0000000000469000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 03:32

Reported

2024-10-10 03:34

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4180 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4180 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4180 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2140 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe
PID 2140 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe
PID 2140 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe

"C:\Users\Admin\AppData\Local\Temp\32a0f2d3ca4aa9e14ce137a320a98db1818328af06c0a942e4d3ee2fd1cd82f9N.exe"

C:\Users\Admin\AppData\Local\Temp\wovoi.exe

"C:\Users\Admin\AppData\Local\Temp\wovoi.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\noajx.exe

"C:\Users\Admin\AppData\Local\Temp\noajx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/4180-0-0x0000000000010000-0x0000000000091000-memory.dmp

memory/4180-1-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wovoi.exe

MD5 bf30a17560a5cedfdf660b286c60fd78
SHA1 a73aadcef94b250bf8387764f5af321296056112
SHA256 42a36deb372fd005ef8df1873db636d6d82f7e9b93bc38a38456237fd9512cf3
SHA512 73234c7b2950b0e169cebdd4c955277040a3da7505ab1b77711c71c1382f02d9979ad4fc9f913fb66d456869c85945b6dd9590043882ed94f89705d23afadf4d

memory/2140-14-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/2140-11-0x00000000006D0000-0x0000000000751000-memory.dmp

memory/4180-17-0x0000000000010000-0x0000000000091000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 2caa52bcf6a6a165c89037603b1e0422
SHA1 480972ca5827afb9483bed3facd830ca8bcd819d
SHA256 f7ad65b6ff6d3c6b0a861957f9320bec9691dd16f0daca5e4834634bd4605685
SHA512 4d5040e6c469c0ef98cd1afa4c3d1ab3a03e1c89e3bb682af3eb97c71a44e55b3a4d9290e048c2afa830e1a224f706aa6cabdd492b9ec9a5c0cdcc15fada1758

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8f986fe109aab23f7920b0791350bcec
SHA1 cc14bc682c33ae3df4c1ec4f6e93a24575bc4f5a
SHA256 994e3a0890de3f24d9a34f78984ac8cf1473f8141382795fe60beca0df08f2bb
SHA512 6e629bb518f8c7f10014ecbd5bfb63ba42ed34662713fba7d6684fe2b88548cb3b8c2b150fac2fb0f03d69ac2b1957e5bd6fcffd19bfa8c448f2d43c0829afa3

memory/2140-20-0x00000000006D0000-0x0000000000751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\noajx.exe

MD5 c350d2d6f78a8173ed694b835a60d22a
SHA1 2a7ea8e6a6f30dbe3ec10516c4954c5dce2dd73e
SHA256 c76e9fa8f3958949f8a85ba7ac2002bd827604297d3f4801b2099dc8a0d59aa4
SHA512 57d1929fa1ed1a3c594e725628afba60936d6333537d0b6d128ace466bd08e6f9e7ddb51e3ef91605f50f16e8730d9bd46876ac51656e9e7338910e285d428fe

memory/2604-38-0x0000000000200000-0x0000000000202000-memory.dmp

memory/2140-40-0x00000000006D0000-0x0000000000751000-memory.dmp

memory/2604-37-0x0000000000280000-0x0000000000319000-memory.dmp

memory/2604-41-0x0000000000280000-0x0000000000319000-memory.dmp

memory/2604-46-0x0000000000200000-0x0000000000202000-memory.dmp

memory/2604-45-0x0000000000280000-0x0000000000319000-memory.dmp

memory/2604-47-0x0000000000280000-0x0000000000319000-memory.dmp