Malware Analysis Report

2024-11-16 13:26

Sample ID 241011-d34alstarg
Target 5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N
SHA256 5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975

Threat Level: Known bad

The file 5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Loads dropped DLL

Checks computer location settings

Deletes itself

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 03:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 03:32

Reported

2024-10-11 03:34

Platform

win7-20240903-en

Max time kernel

119s

Max time network

88s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bujyh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uxopo.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bujyh.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uxopo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\bujyh.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\bujyh.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\bujyh.exe
PID 2656 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\bujyh.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\bujyh.exe C:\Users\Admin\AppData\Local\Temp\uxopo.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\bujyh.exe C:\Users\Admin\AppData\Local\Temp\uxopo.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\bujyh.exe C:\Users\Admin\AppData\Local\Temp\uxopo.exe
PID 2588 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\bujyh.exe C:\Users\Admin\AppData\Local\Temp\uxopo.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe

"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"

C:\Users\Admin\AppData\Local\Temp\bujyh.exe

"C:\Users\Admin\AppData\Local\Temp\bujyh.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\uxopo.exe

"C:\Users\Admin\AppData\Local\Temp\uxopo.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/2656-0-0x0000000001250000-0x00000000012D1000-memory.dmp

memory/2656-1-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\bujyh.exe

MD5 7ec51913f27d2c5025f42ab38b4d9a12
SHA1 110df1e2b682cabd31199dbb0b2f6f1527bf7902
SHA256 61abbe96c63c307345f00cdac05b01b0161b20f561116c26b97b95d7168926a9
SHA512 1c412b25aef76850e05a23ead21a388d3da8fb9df0814f44485d756853b4558fc15452c44b51fb2e18f367963fc784f84d377169c60e498ec8dc3db6bf73b8fd

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a525ddb2711f59edaea2fbd95843ebe2
SHA1 b5a810f234b2280aaaa74b1b3e11929ff947ad6a
SHA256 6a0e0be8fa9590a7624d0bc086c07827ff11f17ca5465c43929dc3119b8d045e
SHA512 d30d621535965a1c92d81790b3234590706be44d6ead32a68cbc38256dd983df8d3074417a88b172c2e5d14a681a8383033aaef43247cfb04f74eaf08443f0d0

memory/2588-18-0x0000000001290000-0x0000000001311000-memory.dmp

memory/2588-19-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2656-9-0x0000000000A70000-0x0000000000AF1000-memory.dmp

memory/2656-21-0x0000000001250000-0x00000000012D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 804d59b887d6208dcd5c27cc1802c6ec
SHA1 4469cce8ee8fa5a98b2f88128db75287f31de0d6
SHA256 e438e52d800b3e9b4569d7c63a839306c338b18eeebae7fdfeba02fa705c388b
SHA512 b56121485b86e5cfb84338eaa368af4919deb77d6a41daa61feacfb1e7af7d07679ae1d08c20f7bb24f840a9dc157f052dc8dfc7f1e5cd257b4eb6e9614c9859

memory/2588-24-0x0000000001290000-0x0000000001311000-memory.dmp

\Users\Admin\AppData\Local\Temp\uxopo.exe

MD5 051aaefa6e5c274e0cd9f2dad2f0621b
SHA1 384a2f8eb55bce202c18285f64d93f8c7dbcc0fd
SHA256 37c04a3aea2ad497634f805b56e6d9ec07bc697cb7fae64e2eadf381760edf3a
SHA512 6f8b53a694438e9ef2530f68a9414248e6ab646a073a08530db3c0f39723692d0df8467b349e792897049f77736df5c7036f621e3a7891a6fedb57e944f54b9c

memory/1920-42-0x0000000000280000-0x0000000000319000-memory.dmp

memory/2588-40-0x0000000003D90000-0x0000000003E29000-memory.dmp

memory/2588-39-0x0000000001290000-0x0000000001311000-memory.dmp

memory/1920-43-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1920-47-0x0000000000280000-0x0000000000319000-memory.dmp

memory/1920-48-0x0000000000280000-0x0000000000319000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 03:32

Reported

2024-10-11 03:34

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ciira.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ciira.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ciira.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gexuc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\ciira.exe
PID 4620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\ciira.exe
PID 4620 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Users\Admin\AppData\Local\Temp\ciira.exe
PID 4620 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 4620 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\ciira.exe C:\Users\Admin\AppData\Local\Temp\gexuc.exe
PID 1988 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\ciira.exe C:\Users\Admin\AppData\Local\Temp\gexuc.exe
PID 1988 wrote to memory of 4764 N/A C:\Users\Admin\AppData\Local\Temp\ciira.exe C:\Users\Admin\AppData\Local\Temp\gexuc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe

"C:\Users\Admin\AppData\Local\Temp\5f4d2c0033d0286215cb3c9b5dca27a0cb08b192e751784bf51da68f29a1b975N.exe"

C:\Users\Admin\AppData\Local\Temp\ciira.exe

"C:\Users\Admin\AppData\Local\Temp\ciira.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\gexuc.exe

"C:\Users\Admin\AppData\Local\Temp\gexuc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4620-0-0x00000000001A0000-0x0000000000221000-memory.dmp

memory/4620-1-0x0000000000F40000-0x0000000000F41000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ciira.exe

MD5 8bc9c0f4135dcd0bf3fa445e2468ca6e
SHA1 640ad0b3c15d9e008592504cfc12c3efeef8e43e
SHA256 7d69f9aa2bdd1c13268cc410bc8b53c7b32a765f8f65242da37c02c8c500df0c
SHA512 cbb1a745d1d70fe2aaa6fc918770ef858b94baa40733d46ca116d6d047b78dec481382b114d60c4d204eb996f351da04a0a6cec535034c58cc9b7f0b15b610e3

memory/1988-14-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1988-11-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4620-17-0x00000000001A0000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 a525ddb2711f59edaea2fbd95843ebe2
SHA1 b5a810f234b2280aaaa74b1b3e11929ff947ad6a
SHA256 6a0e0be8fa9590a7624d0bc086c07827ff11f17ca5465c43929dc3119b8d045e
SHA512 d30d621535965a1c92d81790b3234590706be44d6ead32a68cbc38256dd983df8d3074417a88b172c2e5d14a681a8383033aaef43247cfb04f74eaf08443f0d0

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 ee16e87c18533fc6fa82e8f39ea661c9
SHA1 bbdc87189a78ed8f5f7995bcdeb2e74f11eb3f6b
SHA256 63c54e626524f22ec19589193347b2803dd6010b92003fe30f07c7fbd3788e65
SHA512 07f8585368c10241c3d61984d907137da2bf53f78cc94ad2f203d11c06aa6f1c58badaa50bb81a511732569b853cf9e6fb3caedf86d7a8d13dc6963d342b19a8

memory/1988-20-0x0000000000400000-0x0000000000481000-memory.dmp

memory/1988-21-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gexuc.exe

MD5 1e30c73428cc27f861380e8d74508085
SHA1 1f5ce3f612035488d89d54544a34381d33b26211
SHA256 17981b70664630e5eabe3d84193a31ce625a9ee86df6179bd1c448fe62b34805
SHA512 f37b623a8b84a1b7e3014021c77cb873834d3acba6726148d38a7a6aac032604b5f0bfcd2b67c8c9ff96b24836827fcbabf74c99b0375b463969c3d46cd49d74

memory/4764-39-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/1988-41-0x0000000000400000-0x0000000000481000-memory.dmp

memory/4764-38-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/4764-42-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/4764-47-0x00000000007F0000-0x00000000007F2000-memory.dmp

memory/4764-46-0x0000000000DA0000-0x0000000000E39000-memory.dmp

memory/4764-48-0x0000000000DA0000-0x0000000000E39000-memory.dmp