Malware Analysis Report

2024-11-16 13:25

Sample ID 241010-tw1h5szfrn
Target 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN
SHA256 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77e

Threat Level: Known bad

The file 680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Executes dropped EXE

Checks computer location settings

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 16:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 16:25

Reported

2024-10-10 16:27

Platform

win7-20240903-en

Max time kernel

119s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\uzoki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nulez.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uzoki.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nulez.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1684 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\uzoki.exe
PID 1684 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\uzoki.exe
PID 1684 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\uzoki.exe
PID 1684 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\uzoki.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\uzoki.exe C:\Users\Admin\AppData\Local\Temp\nulez.exe
PID 2964 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\uzoki.exe C:\Users\Admin\AppData\Local\Temp\nulez.exe
PID 2964 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\uzoki.exe C:\Users\Admin\AppData\Local\Temp\nulez.exe
PID 2964 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\uzoki.exe C:\Users\Admin\AppData\Local\Temp\nulez.exe

Processes

C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe

"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"

C:\Users\Admin\AppData\Local\Temp\uzoki.exe

"C:\Users\Admin\AppData\Local\Temp\uzoki.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\nulez.exe

"C:\Users\Admin\AppData\Local\Temp\nulez.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1684-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1684-0-0x0000000000210000-0x0000000000291000-memory.dmp

\Users\Admin\AppData\Local\Temp\uzoki.exe

MD5 8334be050a2a61abeb3ccc426179f57e
SHA1 6d660b0d985656372ab13cb321ef9e61e90591d1
SHA256 4d7827f05a6831414fe4be166372f50e4d383735d5243065f603628c428e5eba
SHA512 5d0264a9f21f567d1a9c81097ed76adb90e6cfc4ab2c949fbe6fcf1d2ce949c79a4cddd1c0218d300e271cda9e1a6624d469df98b259f476a09718ababa4fad5

memory/1684-6-0x0000000002460000-0x00000000024E1000-memory.dmp

memory/2964-13-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2964-11-0x0000000000920000-0x00000000009A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 af5416b8428b7024077aca61c2fbc1e8
SHA1 6b1b9c4ff6c207c84eb39368680a8306bf800a3c
SHA256 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3
SHA512 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db

memory/1684-21-0x0000000000210000-0x0000000000291000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 b51cc6ae1f00d6cb6304094d1570ad24
SHA1 78f3883ad5439072df41f7544141952a42374fb5
SHA256 1e2f2818b27aadead255312837cde5037599cff47af73394ed8b0c74d4554b30
SHA512 2b9cde5e6443277978e2f549d6d77eb19a83c6ab6975e467186c6b44d4b255cfa665663bad9f3f4856a69ec91c2c68f6e08e1070f9c299b4f936e2f5c39c8cfc

memory/2964-24-0x0000000000920000-0x00000000009A1000-memory.dmp

memory/2964-40-0x0000000000920000-0x00000000009A1000-memory.dmp

memory/2964-38-0x0000000003250000-0x00000000032E9000-memory.dmp

memory/2456-42-0x0000000000020000-0x00000000000B9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nulez.exe

MD5 91814eff58d55623be50399ac6a53432
SHA1 865724cf46f0a98a78df4be2c13bcc5d34a13b8d
SHA256 323215464c73524ca40849bbeeecad12c41fa0e71c813b67fc0c6365c020cfc2
SHA512 f97edf6b421ce4c75d4a1f0580489be7b53244811d0df992c7bd3f27a101ae068b447896ac6d00992e4c783eab4092f165553572c6ba1e03f094ca8270196c13

memory/2456-44-0x0000000000020000-0x00000000000B9000-memory.dmp

memory/2456-47-0x0000000000020000-0x00000000000B9000-memory.dmp

memory/2456-48-0x0000000000020000-0x00000000000B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 16:25

Reported

2024-10-10 16:27

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\diloo.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\diloo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\diloo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loguk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1340 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\diloo.exe
PID 1340 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\diloo.exe
PID 1340 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Users\Admin\AppData\Local\Temp\diloo.exe
PID 1340 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 1340 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\diloo.exe C:\Users\Admin\AppData\Local\Temp\loguk.exe
PID 2136 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\diloo.exe C:\Users\Admin\AppData\Local\Temp\loguk.exe
PID 2136 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\diloo.exe C:\Users\Admin\AppData\Local\Temp\loguk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe

"C:\Users\Admin\AppData\Local\Temp\680c2a47c832e1db286f3dec9c2afc07fd35e2a8eba0a6d26a25052cc55fb77eN.exe"

C:\Users\Admin\AppData\Local\Temp\diloo.exe

"C:\Users\Admin\AppData\Local\Temp\diloo.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\loguk.exe

"C:\Users\Admin\AppData\Local\Temp\loguk.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1340-0-0x0000000000250000-0x00000000002D1000-memory.dmp

memory/1340-1-0x0000000000550000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\diloo.exe

MD5 c5c7ef95cf17abb477827838bf403fa8
SHA1 690c840b0cd023313fbba31eef64f8ac677e6278
SHA256 c1c7ba9d1764b9d7374fce3493bea0a044cfccbb95dd772ee87e0f260b1bec8f
SHA512 989178bd3e93ffc8541eb12335b4c3a0e01ef5b1896f79d2861bc12e856fc32df5ef0d07f2cda73c22292fd6827f61f9375e3065873eab28685bfffdcc1f64f2

memory/2136-14-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2136-11-0x0000000000580000-0x0000000000601000-memory.dmp

memory/1340-17-0x0000000000250000-0x00000000002D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 af5416b8428b7024077aca61c2fbc1e8
SHA1 6b1b9c4ff6c207c84eb39368680a8306bf800a3c
SHA256 31fdb35446b2485ff5d3ded870b3c1903ef2abd41c254edc92dd959f647bb4a3
SHA512 2f159410e5996080e31f9cf2228401668cc8e168d5cc0686578f07d31cb031ceb10332788609e6389f288d1c55158f81abad51fcf6ab6d1f90a2423f497904db

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a7f64c43d39a874557eb61c9662c09c7
SHA1 c28d60941d3c0e7906dbc6e5ac526167d6e29713
SHA256 674d9ad49ec5ed32ee7e2fcc1548d603215f922f5dd2d2dd4e01d3404b5e4b45
SHA512 85294bb5ba31b8714b0dddbedf1e77666783b337901fc4aa3991d4d30dbe4c4e24743a86a512faf305c9aa4cfbde008b63c3747c0dfdbba702a632aa1eb44809

memory/2136-21-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2136-20-0x0000000000580000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\loguk.exe

MD5 d03f654ebdb8d9871713863b72d2057b
SHA1 29fbd3209108d6da0f26a200a329b76814f2de28
SHA256 497c85a1fa0fb957f216b21e60ef5f9a37487c6fc9c7fea6a274259a29deb779
SHA512 d3523cba26cd84a4b50f2f7c27016fa8e940606a07e00f3194382487926a3e0b1e2e7c8f0e5487864ff742f840d2e75c1cfeb6ec2fa930621688c63f4886faf4

memory/4476-37-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/2136-39-0x0000000000580000-0x0000000000601000-memory.dmp

memory/4476-41-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/4476-44-0x0000000000A90000-0x0000000000A92000-memory.dmp

memory/4476-46-0x0000000000B30000-0x0000000000BC9000-memory.dmp

memory/4476-47-0x0000000000B30000-0x0000000000BC9000-memory.dmp