Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-h7mkwa1cph
Target 62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N
SHA256 62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521

Threat Level: Known bad

The file 62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 07:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 07:22

Reported

2024-10-10 07:24

Platform

win7-20240903-en

Max time kernel

119s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bonuy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\miwut.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bonuy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\miwut.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\bonuy.exe
PID 2196 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\bonuy.exe
PID 2196 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\bonuy.exe
PID 2196 wrote to memory of 704 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\bonuy.exe
PID 2196 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 2196 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 704 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bonuy.exe C:\Users\Admin\AppData\Local\Temp\miwut.exe
PID 704 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bonuy.exe C:\Users\Admin\AppData\Local\Temp\miwut.exe
PID 704 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bonuy.exe C:\Users\Admin\AppData\Local\Temp\miwut.exe
PID 704 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\bonuy.exe C:\Users\Admin\AppData\Local\Temp\miwut.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe

"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"

C:\Users\Admin\AppData\Local\Temp\bonuy.exe

"C:\Users\Admin\AppData\Local\Temp\bonuy.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\miwut.exe

"C:\Users\Admin\AppData\Local\Temp\miwut.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2196-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2196-0-0x0000000000D80000-0x0000000000E01000-memory.dmp

\Users\Admin\AppData\Local\Temp\bonuy.exe

MD5 51f7fa40a3b59f7534ae668631215ed8
SHA1 9a9b62f338b477b31fc09a93da54ade6d5242aa4
SHA256 76b706db2d1339f28bff5841ca910892811c80a8c42be1596bb6b2edd0ef816d
SHA512 55f4b36ee7487d6e64b5c8a7a754a140d6807397fba0417961be0ab82190d310bb6043bccbbc0001799b70efbdad19494621814883691c411feadc5cb1919c00

memory/2196-7-0x0000000000CF0000-0x0000000000D71000-memory.dmp

memory/704-11-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 4da4703fa0ae5befc3ce05de510d119c
SHA1 bf5ea595f26547eee2cd4892fbf6c6da43b73fe7
SHA256 49725e6b05099257f7d738ce8da35872f19b90174225ba31d9ee8f88c5ce4bd3
SHA512 49aca986c45ecd07e544ec670864617030878d4fde2db9bae91cd39b478f6b0a5fc6ccc83cfe6cce19307e19aa453a48fe192c1014cb76dd8f8d8246ce658f2e

memory/2196-20-0x0000000000D80000-0x0000000000E01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 bb985bdbb233d0faf474cce656d16beb
SHA1 5a11a16579427ea60781e4ef3f9f35298ddad559
SHA256 035574c684f930c790214ed5b706198c60d160b9454fd22cf1a85178becfe2bd
SHA512 3bcfd980bbfb7054ffb2cd1857f99c12e04b4ae0f217da1bbac89a9286e4a78821e924c3bbf133dbd900abc538984d3a8f5dce512fa68168ecf225094de5088a

memory/704-24-0x0000000000020000-0x0000000000021000-memory.dmp

memory/704-23-0x0000000001120000-0x00000000011A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\miwut.exe

MD5 af4b092306f3422e580e6d64471d2f9e
SHA1 a0029f814cf2b32ec0e1c623499eec5175cb1cf2
SHA256 301354b85d85bba3ec0abfc707e6f4d4ef86dea0ea063c9f2ea1a68ae1507461
SHA512 3a77a4ff74dbb9a240280406e078235edf12bd1ea2a0d0dbf7381ffe6bb92faf0adaa4d656b08a1ce2576161be9ce399b45175b6fdf151f040f5150ffa3ac8ea

memory/2472-42-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/704-41-0x0000000003FA0000-0x0000000004039000-memory.dmp

memory/704-40-0x0000000001120000-0x00000000011A1000-memory.dmp

memory/2472-43-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2472-47-0x0000000000E90000-0x0000000000F29000-memory.dmp

memory/2472-48-0x0000000000E90000-0x0000000000F29000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 07:22

Reported

2024-10-10 07:24

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\coato.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\coato.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\coato.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\izxex.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\coato.exe
PID 1692 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\coato.exe
PID 1692 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Users\Admin\AppData\Local\Temp\coato.exe
PID 1692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3636 N/A C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe C:\Windows\SysWOW64\cmd.exe
PID 1580 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\coato.exe C:\Users\Admin\AppData\Local\Temp\izxex.exe
PID 1580 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\coato.exe C:\Users\Admin\AppData\Local\Temp\izxex.exe
PID 1580 wrote to memory of 3836 N/A C:\Users\Admin\AppData\Local\Temp\coato.exe C:\Users\Admin\AppData\Local\Temp\izxex.exe

Processes

C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe

"C:\Users\Admin\AppData\Local\Temp\62cc1a1f2ae837bb84f261b27a7da8f718dee57c140843c354cadb4371f6d521N.exe"

C:\Users\Admin\AppData\Local\Temp\coato.exe

"C:\Users\Admin\AppData\Local\Temp\coato.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\izxex.exe

"C:\Users\Admin\AppData\Local\Temp\izxex.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/1692-0-0x0000000000E40000-0x0000000000EC1000-memory.dmp

memory/1692-1-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\coato.exe

MD5 2ed9b7bc5a86b6be1e6dc4cb723889b4
SHA1 850b8494c2ed9be24c3f8199307e9f7cdccca171
SHA256 e5fee99e786c2679e2df48d37531815b10d1a5b67a219a3afeabea40404ceeac
SHA512 3c00a1acdbca30e4fbad0b3a4e002576adabd5a71cd1e8fb27fde4c7ad32f99b74b7eb8b21101b7c5845db29df2a6363af40fb0a5559bb7b5deb75f3d0981167

memory/1580-11-0x00000000001E0000-0x0000000000261000-memory.dmp

memory/1580-14-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/1692-16-0x0000000000E40000-0x0000000000EC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 4da4703fa0ae5befc3ce05de510d119c
SHA1 bf5ea595f26547eee2cd4892fbf6c6da43b73fe7
SHA256 49725e6b05099257f7d738ce8da35872f19b90174225ba31d9ee8f88c5ce4bd3
SHA512 49aca986c45ecd07e544ec670864617030878d4fde2db9bae91cd39b478f6b0a5fc6ccc83cfe6cce19307e19aa453a48fe192c1014cb76dd8f8d8246ce658f2e

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0cbfba849768a9baa5b9e20ef95d06b1
SHA1 afd8e287b84a1d8e3e466b8988c142dcad6ab355
SHA256 b802d31b4ca77a20e90d46945eb470cac758c73e47eec2e48aae5259198a1ee3
SHA512 70a4f4dee3f69045f9a932b319e3e84a199c034b6c2594de5f8e84f12677f4ddbe909bee6d1525792f665ac87fa334d7e8b65eccd78178ae2ffc0b60d37bb239

memory/1580-19-0x00000000001E0000-0x0000000000261000-memory.dmp

memory/1580-20-0x0000000000D30000-0x0000000000D31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\izxex.exe

MD5 7413bf2452c2d984c15f3c8449a50248
SHA1 77f7cc935b5824511009995dc42d9e8f834ef97d
SHA256 bf1637f68d227f28fd5a98d5bcc6ec39aba84e99c0cd3df8b740b129e5c9917c
SHA512 425ed713c8b075f55515848b7025288f396e21945966e5d5b34d1ab27bebad3324adf3764dfc8147ba286fd85a17d0682713c1b27c043956cf6efadb9300b6c8

memory/3836-38-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/3836-37-0x0000000000490000-0x0000000000529000-memory.dmp

memory/1580-43-0x00000000001E0000-0x0000000000261000-memory.dmp

memory/3836-40-0x0000000000490000-0x0000000000529000-memory.dmp

memory/3836-46-0x0000000000BB0000-0x0000000000BB2000-memory.dmp

memory/3836-45-0x0000000000490000-0x0000000000529000-memory.dmp

memory/3836-47-0x0000000000490000-0x0000000000529000-memory.dmp