Malware Analysis Report

2024-11-16 13:26

Sample ID 241010-xyydcasaqb
Target 0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N
SHA256 0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4

Threat Level: Known bad

The file 0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-10 19:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-10 19:16

Reported

2024-10-10 19:18

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\boebo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nuper.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\boebo.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nuper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2876 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\boebo.exe
PID 2876 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\boebo.exe
PID 2876 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\boebo.exe
PID 2876 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\boebo.exe
PID 2876 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2876 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\boebo.exe C:\Users\Admin\AppData\Local\Temp\nuper.exe
PID 2268 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\boebo.exe C:\Users\Admin\AppData\Local\Temp\nuper.exe
PID 2268 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\boebo.exe C:\Users\Admin\AppData\Local\Temp\nuper.exe
PID 2268 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\boebo.exe C:\Users\Admin\AppData\Local\Temp\nuper.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe

"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"

C:\Users\Admin\AppData\Local\Temp\boebo.exe

"C:\Users\Admin\AppData\Local\Temp\boebo.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\nuper.exe

"C:\Users\Admin\AppData\Local\Temp\nuper.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2876-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2876-0-0x0000000000F70000-0x0000000000FF1000-memory.dmp

\Users\Admin\AppData\Local\Temp\boebo.exe

MD5 b2ba9fe514b8d030f2e76d6347143fb5
SHA1 82204fd2764870e3827b433bc515c91827ee625d
SHA256 1871057682919a9a2733b27adec972c77f8fd9469dd05f8176c85fa113ce6ca6
SHA512 ee3402365675da4ad256baab37c8e4a6c39a14ad98cd223de72e9b67e90d05c013d334f025794ddfbd6bcf84b32da60fe412c90b3b054badce0fc9a79edd6284

memory/2268-13-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2268-12-0x0000000001130000-0x00000000011B1000-memory.dmp

memory/2876-9-0x0000000002770000-0x00000000027F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 6240009bc9ebfcb32460db20e454f77e
SHA1 b78826380d8ae52fc82a4fbe9d0d0705c738815b
SHA256 ec00de87dfc982119d3fac3d11337d6526bec753da616cb15e1ae474d9e20edd
SHA512 d96bd9a8383ffdefd1f872ec7893cc61325afdf1d5ddc26ec4210cdff5c293aeac6ba568e7d9bd2be668bbd3370fade929056a53b02c5b152a4c0fe63d8da58b

memory/2876-21-0x0000000000F70000-0x0000000000FF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 2e6df454c8bd66381290884da2bca994
SHA1 ca79d92626cb4af91fd974f2c89d82b47618f8eb
SHA256 2947fafe3445797cea3b38d68a51c435d5ebac3cd859e25b26fbe38c2f36ddf2
SHA512 8b26f42dc5f3c77dfbc3de2d93bff3ba00813578259144b04c39e04d7191eddbb6c1e78b45bdb9146b9ba3e0f9682058827c2343cac3aabfa324bbe817ae3b92

memory/2268-24-0x0000000001130000-0x00000000011B1000-memory.dmp

memory/2268-39-0x0000000003840000-0x00000000038D9000-memory.dmp

\Users\Admin\AppData\Local\Temp\nuper.exe

MD5 c4167d509973d91022714d87f50e3afd
SHA1 8dbdc3f022b2d15dfc6729f8e977867674b8c14e
SHA256 ec50d21a9e71e6d9bba991498950f66a45bc55312aa3bb23d95ac7fa3aa4b476
SHA512 2b4ae27e0c3653f66e6a5d52a364200b1bd1e262e800da09f3c185a81c8ddd7072ef118bfe18a21354d4520d1c51621330a8f3e068e22fdbda96f6b2a9f85c84

memory/2556-45-0x0000000000D50000-0x0000000000DE9000-memory.dmp

memory/2556-42-0x0000000000D50000-0x0000000000DE9000-memory.dmp

memory/2268-41-0x0000000001130000-0x00000000011B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\boebo.exe

MD5 549de14c27cefdd1dfe294bb34879eb3
SHA1 9ba112b71727ceb9de3c9629e19e76c3a8217bd2
SHA256 30e5dd34c8465d5834edcfe7d837d4a57fb145df6d58e461f97a04f887531824
SHA512 7d78e25bd7ca210371c367e55373cdf96483c2b635ab09012538cff2e0a9ac415a8e8fa6c169a088b25e1d816aec871b11653b2c9e3a0fe27d2b08d6ede0dd35

memory/2556-48-0x0000000000D50000-0x0000000000DE9000-memory.dmp

memory/2556-49-0x0000000000D50000-0x0000000000DE9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-10 19:16

Reported

2024-10-10 19:18

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tobir.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tobir.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tobir.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\patyp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\tobir.exe
PID 1932 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\tobir.exe
PID 1932 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Users\Admin\AppData\Local\Temp\tobir.exe
PID 1932 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 1932 wrote to memory of 1356 N/A C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe C:\Windows\SysWOW64\cmd.exe
PID 3624 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\tobir.exe C:\Users\Admin\AppData\Local\Temp\patyp.exe
PID 3624 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\tobir.exe C:\Users\Admin\AppData\Local\Temp\patyp.exe
PID 3624 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\tobir.exe C:\Users\Admin\AppData\Local\Temp\patyp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe

"C:\Users\Admin\AppData\Local\Temp\0f923ac47b8a8496fca66baa531399e93aeef21281b68e96dc165222a5870df4N.exe"

C:\Users\Admin\AppData\Local\Temp\tobir.exe

"C:\Users\Admin\AppData\Local\Temp\tobir.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\patyp.exe

"C:\Users\Admin\AppData\Local\Temp\patyp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1932-0-0x0000000000B70000-0x0000000000BF1000-memory.dmp

memory/1932-1-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tobir.exe

MD5 8f1e98d34e413c84c7eba2df52c047a2
SHA1 bc48590844f1b0405cbd5b0f2bea8b58237e9747
SHA256 07106896a81f6c3f1f369dc94a03aede2fb29c851df15f5ebd5e0a2aececb4b9
SHA512 d0c193f605a5a171a9a9f83db9fafd7bb3a27b228cc4d031e2689092d88e63797e827a99402d447ebc848f4eafeba5e1894d55582de8b345ce97b08ffaad8e69

memory/3624-11-0x00000000004E0000-0x0000000000561000-memory.dmp

memory/3624-14-0x0000000000440000-0x0000000000441000-memory.dmp

memory/1932-17-0x0000000000B70000-0x0000000000BF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 6240009bc9ebfcb32460db20e454f77e
SHA1 b78826380d8ae52fc82a4fbe9d0d0705c738815b
SHA256 ec00de87dfc982119d3fac3d11337d6526bec753da616cb15e1ae474d9e20edd
SHA512 d96bd9a8383ffdefd1f872ec7893cc61325afdf1d5ddc26ec4210cdff5c293aeac6ba568e7d9bd2be668bbd3370fade929056a53b02c5b152a4c0fe63d8da58b

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a838e1c38b7a90e0b89df9f8bb9315ed
SHA1 cb8d04abb905c7c26b6bd9ba55a0fa27b49fa180
SHA256 48cbd50c501c89fe2ae5990f5962a10166825e7290d1b52bad38476c69c588a0
SHA512 59fb5efc07b602e77e235263a311e86199e79db99f754fa8f1b1134a193d4290bc0119d9e24fa4dcf60b055b59bae875d7d23ed5eeb43013c9bbd1ab4d7c910d

memory/3624-21-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3624-20-0x00000000004E0000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\patyp.exe

MD5 452e55d13c389171e16f264478ea89a1
SHA1 0ae7938bae5a3bffaa82bfabbb7e2c4da0a0b42a
SHA256 c73d10975dac72fa85a75d31a9005a61ffcbce3b5f1332a933e3ccebd5fc2715
SHA512 dee749dc4c424f87416ba5d2f3160707c42a7e2e239e60ee7a8ac2ecef0ca14ac21831b36f8d8ee3a42d33196babf2f14eb0353d4737eff24559b735c37e5245

memory/3624-41-0x00000000004E0000-0x0000000000561000-memory.dmp

memory/2752-39-0x0000000000800000-0x0000000000802000-memory.dmp

memory/2752-38-0x0000000000760000-0x00000000007F9000-memory.dmp

memory/2752-42-0x0000000000760000-0x00000000007F9000-memory.dmp

memory/2752-47-0x0000000000800000-0x0000000000802000-memory.dmp

memory/2752-46-0x0000000000760000-0x00000000007F9000-memory.dmp

memory/2752-48-0x0000000000760000-0x00000000007F9000-memory.dmp