Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-tbee6syfmm
Target 69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N
SHA256 69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8

Threat Level: Known bad

The file 69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 15:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 15:52

Reported

2024-10-10 15:54

Platform

win7-20240708-en

Max time kernel

120s

Max time network

90s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\obwow.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\roliv.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\obwow.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\roliv.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\obwow.exe
PID 2444 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\obwow.exe
PID 2444 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\obwow.exe
PID 2444 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\obwow.exe
PID 2444 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 1280 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\obwow.exe C:\Users\Admin\AppData\Local\Temp\roliv.exe
PID 1280 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\obwow.exe C:\Users\Admin\AppData\Local\Temp\roliv.exe
PID 1280 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\obwow.exe C:\Users\Admin\AppData\Local\Temp\roliv.exe
PID 1280 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\obwow.exe C:\Users\Admin\AppData\Local\Temp\roliv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe

"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"

C:\Users\Admin\AppData\Local\Temp\obwow.exe

"C:\Users\Admin\AppData\Local\Temp\obwow.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\roliv.exe

"C:\Users\Admin\AppData\Local\Temp\roliv.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2444-0-0x0000000000E00000-0x0000000000E81000-memory.dmp

memory/2444-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\obwow.exe

MD5 ec826b981718fdb40e0dde5ed5367920
SHA1 3a3daeab52f17e766b6445df6cfb45d236bcf59c
SHA256 4049e13411fa19c8710f558b6a5af10c7210de4b5780dfa9700b4612a61b70a7
SHA512 dbf799c56445d9dcf3f32677daf154f1332db6259c9efd44bf661f172fe95555509a942063f2fee056ca515e031986eeee8aaf452bc964036b579ff5ae5c6bba

memory/1280-18-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1280-17-0x0000000000FB0000-0x0000000001031000-memory.dmp

memory/2444-16-0x00000000027E0000-0x0000000002861000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 e7c3e993ea2579770a925e583ba3ff27
SHA1 6f32cf053a7d9434f99890f4e49aaa932657c905
SHA256 1750992886861a13c2424cc030b86bf895a348c13c38d56ab6d2dabe8727ae27
SHA512 7d486364662bf4e3598ddc1185697e06c829d662e73ce7f95e5f174dd431392f9a46abf5798ae84fb4b3443da2620173a9f80f91bbe72e4ae66e50cf74abc3d0

memory/2444-21-0x0000000000E00000-0x0000000000E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0ee77bab570b4002cd9f489bed856fed
SHA1 339d4ea53e403ce0ec33223d6e6c39cd352787d4
SHA256 5e4044565be00040932238688cd74bd748b479cb3a7f94cb794940f0e25cee91
SHA512 e33a18085b70e209ace58f2be74eee4296052aaea2c01e96713aee80fcaeda30c718b57da94abba69c7056caffb9ecbc282bb6c7486e7d5a312fc97e6c2b60ca

memory/1280-24-0x0000000000FB0000-0x0000000001031000-memory.dmp

memory/1280-25-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\roliv.exe

MD5 677d07849bf6d45fb61e7a4e276a4add
SHA1 37f0d329c92488cd0703f64c1c35938793bbb321
SHA256 b20131f41bdbf68d11a60939c4fd104df18bc2d2c7add3342a035c744f161210
SHA512 ef380dabe4f39c834258a4ca0b1d6c8622e895fb2f880842837e6549913bc28cb3b621fe9b97ea71695f25a2ecf9efdf35b689db8dfee61175bf57541adcdb33

memory/1280-38-0x0000000003480000-0x0000000003519000-memory.dmp

memory/792-44-0x0000000001180000-0x0000000001219000-memory.dmp

memory/792-43-0x0000000001180000-0x0000000001219000-memory.dmp

memory/1280-42-0x0000000000FB0000-0x0000000001031000-memory.dmp

memory/792-48-0x0000000001180000-0x0000000001219000-memory.dmp

memory/792-49-0x0000000001180000-0x0000000001219000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 15:52

Reported

2024-10-10 15:54

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\wovoi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\noajx.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4916 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4916 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Users\Admin\AppData\Local\Temp\wovoi.exe
PID 4916 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe C:\Windows\SysWOW64\cmd.exe
PID 3212 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe
PID 3212 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe
PID 3212 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\wovoi.exe C:\Users\Admin\AppData\Local\Temp\noajx.exe

Processes

C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe

"C:\Users\Admin\AppData\Local\Temp\69aca99423d2451b97698d929a180fe0d040903ffece27a963da9f8162f1c3c8N.exe"

C:\Users\Admin\AppData\Local\Temp\wovoi.exe

"C:\Users\Admin\AppData\Local\Temp\wovoi.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\noajx.exe

"C:\Users\Admin\AppData\Local\Temp\noajx.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4916-0-0x0000000000CA0000-0x0000000000D21000-memory.dmp

memory/4916-1-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wovoi.exe

MD5 7eb4477e423451b68a91abe11a1dd3fb
SHA1 3b861919879298c8e414102731930427da0ff762
SHA256 8774a0aa7564fcd9fe5efc34a2d6520600d43983101fb0eb57f9fea4b5d56606
SHA512 d822ec62d58322b0c754ac7f7b8ccfa4dfaecbdaec4ca5d40a1bc3d95bf6eb8660c87b30fe4eb12297e49c8e9b6d9752c8581f269271f3966bb5ae90f1c90dac

memory/3212-14-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/3212-11-0x0000000000430000-0x00000000004B1000-memory.dmp

memory/4916-17-0x0000000000CA0000-0x0000000000D21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 e7c3e993ea2579770a925e583ba3ff27
SHA1 6f32cf053a7d9434f99890f4e49aaa932657c905
SHA256 1750992886861a13c2424cc030b86bf895a348c13c38d56ab6d2dabe8727ae27
SHA512 7d486364662bf4e3598ddc1185697e06c829d662e73ce7f95e5f174dd431392f9a46abf5798ae84fb4b3443da2620173a9f80f91bbe72e4ae66e50cf74abc3d0

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 8f986fe109aab23f7920b0791350bcec
SHA1 cc14bc682c33ae3df4c1ec4f6e93a24575bc4f5a
SHA256 994e3a0890de3f24d9a34f78984ac8cf1473f8141382795fe60beca0df08f2bb
SHA512 6e629bb518f8c7f10014ecbd5bfb63ba42ed34662713fba7d6684fe2b88548cb3b8c2b150fac2fb0f03d69ac2b1957e5bd6fcffd19bfa8c448f2d43c0829afa3

memory/3212-20-0x0000000000430000-0x00000000004B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\noajx.exe

MD5 cf7b06666f849d1d545c440e459e66b8
SHA1 c778d9a3aab10e4c92df487226c1445fb3f1dfbd
SHA256 c7a2ce2b6c4c589817652645fdde378f7ee3aea700028e4acf2970777c363e2f
SHA512 0d3b04cbe3b8dd3c2400b5b236f486de883546e661cc85a622ef1a23e4e366d3535ce6f784831fadef78c60c1b7350e11c62b1d5608423011887a72365a04acd

memory/4376-40-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/3212-39-0x0000000000430000-0x00000000004B1000-memory.dmp

memory/4376-36-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/4376-41-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/4376-46-0x0000000000DB0000-0x0000000000DB2000-memory.dmp

memory/4376-45-0x0000000000C50000-0x0000000000CE9000-memory.dmp

memory/4376-47-0x0000000000C50000-0x0000000000CE9000-memory.dmp