Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-e83rpstalm
Target f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N
SHA256 f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9

Threat Level: Known bad

The file f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 04:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 04:37

Reported

2024-10-10 04:39

Platform

win7-20240729-en

Max time kernel

119s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kugom.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\litoz.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kugom.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\litoz.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\kugom.exe
PID 2132 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\kugom.exe
PID 2132 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\kugom.exe
PID 2132 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\kugom.exe
PID 2132 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2132 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 2764 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kugom.exe C:\Users\Admin\AppData\Local\Temp\litoz.exe
PID 2764 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kugom.exe C:\Users\Admin\AppData\Local\Temp\litoz.exe
PID 2764 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kugom.exe C:\Users\Admin\AppData\Local\Temp\litoz.exe
PID 2764 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\kugom.exe C:\Users\Admin\AppData\Local\Temp\litoz.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe

"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"

C:\Users\Admin\AppData\Local\Temp\kugom.exe

"C:\Users\Admin\AppData\Local\Temp\kugom.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\litoz.exe

"C:\Users\Admin\AppData\Local\Temp\litoz.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2132-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2132-0-0x00000000012B0000-0x0000000001331000-memory.dmp

\Users\Admin\AppData\Local\Temp\kugom.exe

MD5 14789885cd64f92a85facdd73e4824d0
SHA1 aef110f06102d39f959b9b53d3a36de0662c51f2
SHA256 3ca31294d0c590762de16961201600900a82b74cb461a6c2a24532c1657ef7cf
SHA512 44a77a20e2efd4c1500a0ed22e35d2c4206dc93ee47cf1ae87f65c88942cea07a0641a207d75f23bbb5dbed007e2ef56d636940ee58079cf62a851b3af217dc5

memory/2132-19-0x00000000012B0000-0x0000000001331000-memory.dmp

memory/2764-21-0x0000000001130000-0x00000000011B1000-memory.dmp

memory/2764-20-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2132-15-0x0000000001130000-0x00000000011B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b2f810e7a605155d105d0a5b947a8190
SHA1 398279a4211f8e6e70c0740302a25bdf3fb71758
SHA256 3728e82f4121a317af347965593685d4b947d36c7b81e89f512fe9a57722f1ce
SHA512 8d717a050410028cd96971a0d698f2389c2e8f749e0b32f54ab1a00e0b67bc2fdd1e9e8cbf60bc62f88d4319362d3cf6414c196f8b594d6b1d0298834a565373

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 95b29b48f3b01d2ad3aa4ab68136fd39
SHA1 1c12d2922322dafb4b77add23cc8760159df6e68
SHA256 98f0b5aeefd49138fe4f89c80e0ae2e973881c3f6452093d8b8feea945c4f2ed
SHA512 a0c1ad81f6f048a7a7d8797350e37b3ef7b427fc298225369c0c06635c3382b92571530e6938d5830711d5bec79448448ce16480ae8b286b8e6089643e6eebef

memory/2764-24-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2764-25-0x0000000001130000-0x00000000011B1000-memory.dmp

memory/2764-39-0x0000000003330000-0x00000000033C9000-memory.dmp

memory/2764-42-0x0000000001130000-0x00000000011B1000-memory.dmp

memory/2872-43-0x0000000000DD0000-0x0000000000E69000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\litoz.exe

MD5 1ea6febb411b8c13394b5c5c43d5bffd
SHA1 425fbeae3e4023e3d6cc223aa6a36c091ea155e3
SHA256 97d19695a507ce2a7d379ed0bd7917430d7a33ebd93ffbb693d0e2b2eefaee47
SHA512 410eca7b10d43e495726c01f21aee29a3d76615c6d06c9ad98cfa2f1447d0d7461667d7fec61d1daffcd4153e8ca89e199e08d634d786012235deb7bfe94155c

memory/2872-44-0x0000000000DD0000-0x0000000000E69000-memory.dmp

memory/2872-48-0x0000000000DD0000-0x0000000000E69000-memory.dmp

memory/2872-49-0x0000000000DD0000-0x0000000000E69000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 04:37

Reported

2024-10-10 04:39

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\voame.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\voame.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\voame.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\muifj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\voame.exe
PID 1996 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\voame.exe
PID 1996 wrote to memory of 5008 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Users\Admin\AppData\Local\Temp\voame.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe C:\Windows\SysWOW64\cmd.exe
PID 5008 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\voame.exe C:\Users\Admin\AppData\Local\Temp\muifj.exe
PID 5008 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\voame.exe C:\Users\Admin\AppData\Local\Temp\muifj.exe
PID 5008 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\voame.exe C:\Users\Admin\AppData\Local\Temp\muifj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe

"C:\Users\Admin\AppData\Local\Temp\f355c58dc2d36c9d5d51620f1e856e11fdca3ec49d05125431a6b2a5230d68e9N.exe"

C:\Users\Admin\AppData\Local\Temp\voame.exe

"C:\Users\Admin\AppData\Local\Temp\voame.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\muifj.exe

"C:\Users\Admin\AppData\Local\Temp\muifj.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1996-0-0x0000000000C20000-0x0000000000CA1000-memory.dmp

memory/1996-1-0x00000000005A0000-0x00000000005A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\voame.exe

MD5 e8f62c96e48720fb1a0973e7e72006de
SHA1 9c16fc39df1d4de78f373c0fe3fe4767e2f2d9dc
SHA256 1c277a3f7a221f0817c358113e72c1468f0ec07208abbd24c98e81fa5f5675f0
SHA512 4865499e62f43031eb09709f1e70233363ec3dfa49fb06711e0a3eef27987e7c9cb5dba97b8514e119076b7c8226f4150306c81daf93b71a66ea57266c61cea7

memory/5008-11-0x00000000009D0000-0x0000000000A51000-memory.dmp

memory/5008-13-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

memory/1996-17-0x0000000000C20000-0x0000000000CA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b2f810e7a605155d105d0a5b947a8190
SHA1 398279a4211f8e6e70c0740302a25bdf3fb71758
SHA256 3728e82f4121a317af347965593685d4b947d36c7b81e89f512fe9a57722f1ce
SHA512 8d717a050410028cd96971a0d698f2389c2e8f749e0b32f54ab1a00e0b67bc2fdd1e9e8cbf60bc62f88d4319362d3cf6414c196f8b594d6b1d0298834a565373

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b5fd85abc0599dd2b097010a3a9fd0fb
SHA1 a1dc3efbc6d2e015fa7e222a76fd3c0b20668707
SHA256 17f8c7946105091e46214e01107f932313fba4e078549ea820dd96d3feea59d5
SHA512 8e409b7a2cd64997591ff20883274d4da4b298057b8fd73e62109bcdb25c7cd2b634e62e3db9787627af2e78820d073223b14fc42176d2df8ca61a4ec7e61b99

memory/5008-20-0x00000000009D0000-0x0000000000A51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\muifj.exe

MD5 63a4efce12d2ce2914a641c9f25aff3d
SHA1 6ea6961ee71b9465de13184792a00ebcaf2ed5bb
SHA256 7d623da17a13e4710c8fdcb683c713b41c82977b3e72c378f4fc5c912b2d8539
SHA512 b4c59d21fc04d3fc801985c3a70fd91b7720795bf52bbdd2bec9277a18653e50197500df5bf19f2ed6fc0a270d81d5c1c0fa0b977f925630871b792d7cfb11a3

memory/5008-40-0x00000000009D0000-0x0000000000A51000-memory.dmp

memory/4456-38-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/4456-37-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/4456-41-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/4456-46-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/4456-45-0x0000000000DE0000-0x0000000000E79000-memory.dmp

memory/4456-47-0x0000000000DE0000-0x0000000000E79000-memory.dmp