Malware Analysis Report

2024-11-16 13:24

Sample ID 241011-a8fjys1fll
Target 4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N
SHA256 4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00

Threat Level: Known bad

The file 4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 00:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 00:52

Reported

2024-10-11 00:54

Platform

win7-20240729-en

Max time kernel

120s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ypjok.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cojoj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ypjok.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cojoj.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\ypjok.exe
PID 1740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\ypjok.exe
PID 1740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\ypjok.exe
PID 1740 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\ypjok.exe
PID 1740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 1740 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ypjok.exe C:\Users\Admin\AppData\Local\Temp\cojoj.exe
PID 2152 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ypjok.exe C:\Users\Admin\AppData\Local\Temp\cojoj.exe
PID 2152 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ypjok.exe C:\Users\Admin\AppData\Local\Temp\cojoj.exe
PID 2152 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ypjok.exe C:\Users\Admin\AppData\Local\Temp\cojoj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe

"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"

C:\Users\Admin\AppData\Local\Temp\ypjok.exe

"C:\Users\Admin\AppData\Local\Temp\ypjok.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\cojoj.exe

"C:\Users\Admin\AppData\Local\Temp\cojoj.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1740-0-0x0000000000040000-0x00000000000C1000-memory.dmp

memory/1740-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\ypjok.exe

MD5 61efa5b9bcb2ee71638f81404e2b9da0
SHA1 812faed39d9fee0aabc6d302dd1a4150c5774b11
SHA256 3abbbe265cd0737340a5e7ef753b4e8855f1ad10b2581dd4593626b279a31160
SHA512 d1c11a4fdee9cad2ef0d02974eebf5223a99547e501009a61df220536fe8210661005fd21dbfe287ac3524bdc7a93fcfbe5f3acc82346b334a4e0fa5e8084807

memory/1740-6-0x0000000002410000-0x0000000002491000-memory.dmp

memory/2152-11-0x0000000000020000-0x0000000000021000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1575c0d839d8f493079f52053e2e63cd
SHA1 3d418dc24207bbd39d54e2e52f0ea5055864702e
SHA256 3ab9485ed5cfaadb6cbfbf03fca3c958fb316d96c9edf242a1572e53e23b5774
SHA512 264e492cae806433d038bc9c03d75f37bfa904b5526d45e367be0cadb67f468f35e851fd80f02b733951ea85654242f3f5fcd9444415d91d3badc7c59c275272

memory/1740-19-0x0000000000040000-0x00000000000C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e451c65416f8ef6f60a843bf5e9a077a
SHA1 4eb17df22d5e0c1243f27f6a089a0e538a2c89fb
SHA256 443bc05e656495c4e11c0a07057bbd3f8af583e06b59ee102e73aed3c52fda01
SHA512 26888856657d2ab724434d0f031601d89872b3a332bf316b9b3111a0700e5c0342c3d5f6c24d24bce1e0076604a3a5ffffafc24c2de76a900a1facf8e5a32d68

memory/2152-23-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2152-22-0x00000000010B0000-0x0000000001131000-memory.dmp

\Users\Admin\AppData\Local\Temp\cojoj.exe

MD5 7fa8764e46edef3db88e75bc320761e8
SHA1 f3977aafa374784328056a77aa6f252b877e50f6
SHA256 866cb624d2bedea50289ba3f324c5d4b5caee6b0c4061a390a829b4a43e8d6a9
SHA512 f665f903ec218d1134c14a6764a031861f0d9df25129ca3e4187a0103910625004a4c522624c05dd7d965c7f98c187f0ee64e58ca03caff6f35add9d288a2ef2

memory/2152-37-0x0000000003630000-0x00000000036C9000-memory.dmp

memory/2152-44-0x00000000010B0000-0x0000000001131000-memory.dmp

memory/1968-42-0x0000000001140000-0x00000000011D9000-memory.dmp

memory/1968-39-0x0000000001140000-0x00000000011D9000-memory.dmp

memory/1968-46-0x0000000001140000-0x00000000011D9000-memory.dmp

memory/1968-47-0x0000000001140000-0x00000000011D9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 00:52

Reported

2024-10-11 00:54

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jyqof.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jyqof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jyqof.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nowue.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2300 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\jyqof.exe
PID 2300 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\jyqof.exe
PID 2300 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Users\Admin\AppData\Local\Temp\jyqof.exe
PID 2300 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 2300 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe C:\Windows\SysWOW64\cmd.exe
PID 1796 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\jyqof.exe C:\Users\Admin\AppData\Local\Temp\nowue.exe
PID 1796 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\jyqof.exe C:\Users\Admin\AppData\Local\Temp\nowue.exe
PID 1796 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\jyqof.exe C:\Users\Admin\AppData\Local\Temp\nowue.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe

"C:\Users\Admin\AppData\Local\Temp\4d9a8a5f9a6d73293743449fb8686594012f7ca65b27a5c906b725d28d089d00N.exe"

C:\Users\Admin\AppData\Local\Temp\jyqof.exe

"C:\Users\Admin\AppData\Local\Temp\jyqof.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\nowue.exe

"C:\Users\Admin\AppData\Local\Temp\nowue.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/2300-0-0x0000000000EA0000-0x0000000000F21000-memory.dmp

memory/2300-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jyqof.exe

MD5 c326491d572f0bee5ca4e570a76b55d0
SHA1 eb79843cb2a2d8cfecad748b8f81edfec2d3ef25
SHA256 d4ecabb4c7f7214f19f53f8defc2c9235e33d9a6f4b05928e0ba91d534be7e1f
SHA512 48ebf5b52c80ca9d5d2c625f27d9d9bf8882c5e14ddda399b2505eea797b25a01c36b30f73491a1d385a772433f4a6b30a9f54a3b6fee76b327742290119eab8

memory/1796-13-0x0000000000740000-0x0000000000741000-memory.dmp

memory/1796-12-0x0000000000CE0000-0x0000000000D61000-memory.dmp

memory/2300-17-0x0000000000EA0000-0x0000000000F21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 1575c0d839d8f493079f52053e2e63cd
SHA1 3d418dc24207bbd39d54e2e52f0ea5055864702e
SHA256 3ab9485ed5cfaadb6cbfbf03fca3c958fb316d96c9edf242a1572e53e23b5774
SHA512 264e492cae806433d038bc9c03d75f37bfa904b5526d45e367be0cadb67f468f35e851fd80f02b733951ea85654242f3f5fcd9444415d91d3badc7c59c275272

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ae91de910d4205d6fdc04a63db04c00a
SHA1 acdfc98391b1866cda6acffc4b794e57bd68a2af
SHA256 9037f86405435262aa434b3422e202669dc0cb93bd68c7a7e207103bc22e9c51
SHA512 e43c1cb6c1a7ac9659cfa6086bda3c3e746e20e9aaf86511da165951564f141fe32c22df9d8c148c56f4b6ed85cd2132284b414ca8454345b81af636a7186fc0

memory/1796-20-0x0000000000CE0000-0x0000000000D61000-memory.dmp

memory/1796-21-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nowue.exe

MD5 29d994d67b6a5347e4dd236687c10792
SHA1 9ffb2e0d7a651b6427ca0c7737861e035bcfe545
SHA256 2c2356064f0e3478e936906e7c34da976ece9984336ee5bca66a783a27c502e0
SHA512 0cc047be4a2c05741243eccb89a5db65759258db47968ba77ffe653a667e01acdd14529c951a64b2e7f284ed1882bc31202c9b583202424becb67db3ab92e10f

memory/1796-41-0x0000000000CE0000-0x0000000000D61000-memory.dmp

memory/1952-39-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

memory/1952-38-0x00000000008C0000-0x0000000000959000-memory.dmp

memory/1952-42-0x00000000008C0000-0x0000000000959000-memory.dmp

memory/1952-47-0x0000000000FB0000-0x0000000000FB2000-memory.dmp

memory/1952-46-0x00000000008C0000-0x0000000000959000-memory.dmp

memory/1952-48-0x00000000008C0000-0x0000000000959000-memory.dmp