Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-f2pryaybph
Target 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N
SHA256 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312

Threat Level: Known bad

The file 2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 05:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 05:22

Reported

2024-10-10 05:24

Platform

win7-20240903-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cisus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aclol.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aclol.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cisus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2576 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\cisus.exe
PID 2576 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\cisus.exe
PID 2576 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\cisus.exe
PID 2576 wrote to memory of 1724 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\cisus.exe
PID 2576 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\cisus.exe C:\Users\Admin\AppData\Local\Temp\aclol.exe
PID 1724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\cisus.exe C:\Users\Admin\AppData\Local\Temp\aclol.exe
PID 1724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\cisus.exe C:\Users\Admin\AppData\Local\Temp\aclol.exe
PID 1724 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\cisus.exe C:\Users\Admin\AppData\Local\Temp\aclol.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

C:\Users\Admin\AppData\Local\Temp\cisus.exe

"C:\Users\Admin\AppData\Local\Temp\cisus.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\aclol.exe

"C:\Users\Admin\AppData\Local\Temp\aclol.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2576-0-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/2576-1-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 d8ca98f5566c72ce8f642652674bebd1
SHA1 00cb696909ab1f6ccf44a36a4c524c633fcdf634
SHA256 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0
SHA512 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed

C:\Users\Admin\AppData\Local\Temp\cisus.exe

MD5 9a5d3ec8e0d0436169deb374554b5e8c
SHA1 901d18e80a78cc70ac72f07418225ed680930261
SHA256 a2f167332f637d53e4e9b569f9a9e8ccb341fc8947080441fb4a5e3c9d2ca965
SHA512 0cd29924971d10b0d5f7149b932ba2a1fa2c49d51599e9743cf8dec03ada419d939c0eabac91a45287d3c41d082949e76e7d5a25631e96e1fdd49aee940e4abb

memory/1724-20-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1724-19-0x0000000001390000-0x0000000001411000-memory.dmp

memory/2576-18-0x0000000000220000-0x00000000002A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b15d450d9fb22339b6cdda559d95b469
SHA1 11d8927ba8f1c4cae617d55ae0913b1109f0a3af
SHA256 fcfe658b894e0065279bc174ded77b5b08b8e22e48ef13a9d12e6043fe2702c6
SHA512 f9381d8a10623272096aa7fa443be1085ed16792b394ece03109e40ad487c31aab605997e27eb72d517f027e55b966cfb643d40cd1b4a70f04e9436d464723f3

memory/1724-23-0x0000000001390000-0x0000000001411000-memory.dmp

memory/2576-31-0x0000000002560000-0x00000000025E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\aclol.exe

MD5 d880e2d091170d05d15abc1f49ff7e5b
SHA1 95e8c4866a3fd264b5ac2c7c5cc54e0009740867
SHA256 35bf12372f5662a8731f0acab6ee2ded815c5026284022920a31247ebf1acf0e
SHA512 3f2b770fd469fc3cb92e6e5085bd9777e153ca456f7c36851435d0694776a3a116e7c5ef6d040af47d4198c39b1db89dc8c6ce9f7683221fd9978e68a1df55d2

memory/1724-41-0x0000000001390000-0x0000000001411000-memory.dmp

memory/904-42-0x00000000011A0000-0x0000000001239000-memory.dmp

memory/1724-39-0x0000000003270000-0x0000000003309000-memory.dmp

memory/904-43-0x00000000011A0000-0x0000000001239000-memory.dmp

memory/904-47-0x00000000011A0000-0x0000000001239000-memory.dmp

memory/904-48-0x00000000011A0000-0x0000000001239000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 05:22

Reported

2024-10-10 05:24

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oprio.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\oprio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oprio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zetov.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\oprio.exe
PID 4960 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\oprio.exe
PID 4960 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Users\Admin\AppData\Local\Temp\oprio.exe
PID 4960 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 4960 wrote to memory of 4496 N/A C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe C:\Windows\SysWOW64\cmd.exe
PID 1688 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\oprio.exe C:\Users\Admin\AppData\Local\Temp\zetov.exe
PID 1688 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\oprio.exe C:\Users\Admin\AppData\Local\Temp\zetov.exe
PID 1688 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\oprio.exe C:\Users\Admin\AppData\Local\Temp\zetov.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe

"C:\Users\Admin\AppData\Local\Temp\2bcbecf0ad05a630dbeef549101c76114450120e646d34053b373d4cd7b16312N.exe"

C:\Users\Admin\AppData\Local\Temp\oprio.exe

"C:\Users\Admin\AppData\Local\Temp\oprio.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\zetov.exe

"C:\Users\Admin\AppData\Local\Temp\zetov.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 72.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/4960-0-0x0000000000FF0000-0x0000000001071000-memory.dmp

memory/4960-1-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\oprio.exe

MD5 16cc1859e49b4d11e14a22857a55695b
SHA1 2f7935c177eafc4900f0bae90bf7d976156d5e01
SHA256 48aae625489072bd694cccaf91ff87efac4f06d3a91f249310396c9474e81cea
SHA512 0ab4049da36ea23cd46e0eccbea13d03084b478acc924b650fcb5d0775b4ff0291b8fda1c8b5dce990b878a5c607a4c3785c8699d6a0bade853c1b1a09b732c2

memory/1688-11-0x0000000000CA0000-0x0000000000D21000-memory.dmp

memory/1688-14-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4960-16-0x0000000000FF0000-0x0000000001071000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 d8ca98f5566c72ce8f642652674bebd1
SHA1 00cb696909ab1f6ccf44a36a4c524c633fcdf634
SHA256 49118f9536946bf95785ac001138ed4fb605f69e533c755ace4772d1e58351c0
SHA512 738acd3d1cb95190afebe41c605a1cfa025c6d8cd5a99ad742e55ba62f0699e78e2a1e4fe21992298fb47fbbd54392472427b1eacd56be69cb966c7c6e4473ed

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 c8e736929c5432ade6fd547e86cee784
SHA1 61d94db6c1d9f8801059ef16ca9d8ce5436e4c64
SHA256 249051d5a539a3bfffb1c0404b708221a5224c494a1178e059250bcbecbc867e
SHA512 a1cb517cc557e6e82eb3c63ee38ac7aae787e78d327f90f6fc7ed0ab989fa17edbab301eb8f884b286f5ca454fd413cc7ed7d0ae09c6f74cbc32bad40a8192e6

memory/1688-19-0x0000000000CA0000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zetov.exe

MD5 f761f48de9c1466392ee401463d748af
SHA1 1bac5b0638c62a0b583fbba6123b6b49ef9bd346
SHA256 111f7b1fcdfda6f39efddef8a55df4e43b0e0b1a5e83467445d7e60e5c5b5188
SHA512 21bb3612e42291cb13b5d0157c488e47a6e39ea2bc6bdf4d104544a2b1caec641c11caa458ecdae18670c22dc667cbaf40715b5a49e45a1cfd37aca74ba25a8a

memory/2400-37-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/2400-35-0x0000000000410000-0x00000000004A9000-memory.dmp

memory/1688-39-0x0000000000CA0000-0x0000000000D21000-memory.dmp

memory/2400-40-0x0000000000410000-0x00000000004A9000-memory.dmp

memory/2400-45-0x00000000004E0000-0x00000000004E2000-memory.dmp

memory/2400-44-0x0000000000410000-0x00000000004A9000-memory.dmp

memory/2400-46-0x0000000000410000-0x00000000004A9000-memory.dmp