Malware Analysis Report

2024-11-16 13:25

Sample ID 241014-fxxlzszcmf
Target 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N
SHA256 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49
Tags
urelas discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49

Threat Level: Known bad

The file 42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan

Urelas

Urelas family

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-14 05:15

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-14 05:15

Reported

2024-10-14 05:17

Platform

win7-20240903-en

Max time kernel

119s

Max time network

77s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toecc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\poajt.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\toecc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\poajt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\toecc.exe
PID 1204 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\toecc.exe
PID 1204 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\toecc.exe
PID 1204 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\toecc.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 2704 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\toecc.exe C:\Users\Admin\AppData\Local\Temp\poajt.exe
PID 2704 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\toecc.exe C:\Users\Admin\AppData\Local\Temp\poajt.exe
PID 2704 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\toecc.exe C:\Users\Admin\AppData\Local\Temp\poajt.exe
PID 2704 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\toecc.exe C:\Users\Admin\AppData\Local\Temp\poajt.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe

"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"

C:\Users\Admin\AppData\Local\Temp\toecc.exe

"C:\Users\Admin\AppData\Local\Temp\toecc.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\poajt.exe

"C:\Users\Admin\AppData\Local\Temp\poajt.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.166:11300 tcp
JP 133.242.129.155:11300 tcp

Files

memory/1204-0-0x0000000000220000-0x00000000002A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\toecc.exe

MD5 0ea1b6d3c820a18e714c1e04ff5e3665
SHA1 2a1a81a7f5f2c4565a401b1b7a7a19fc30f8176b
SHA256 21946eb3050e7557b6eff371759d1c8027e339ca1364a2b72d95f3945d03d1bb
SHA512 88f302348fa618ad49b33ea1922ec7fc9130957daf5de4853d47fd00b5d1f3e15f5d8e04f3224f68a062a9ef8904316d27f0be8ce0a0b5be7e028bde40106d9f

memory/1204-17-0x0000000000220000-0x00000000002A1000-memory.dmp

memory/1204-15-0x0000000002450000-0x00000000024D1000-memory.dmp

memory/2704-18-0x0000000000B50000-0x0000000000BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 130d92eaa9d32bcef99a054df40b4433
SHA1 4dafd76248f909e1529854f17d8949454502f2a7
SHA256 37d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579
SHA512 15fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 635e7fbeffbda923036f5e3117f42dde
SHA1 82949ddad4a3e19141d6689c11307f3f9fca2c4e
SHA256 b284e1c4a708d3fa26a2539fd9bdf407ef868d7dbc3391018b7d8fa75a25e3b7
SHA512 4c33d21543ba792ec56b3010f4e492d53501df094e0987934f24b191ba6c00b620e42a2a633dfdc12c5fea6dfcdb3f3191354d1f3a095ad0b40f3c9d4bc54e60

memory/2704-21-0x0000000000B50000-0x0000000000BD1000-memory.dmp

\Users\Admin\AppData\Local\Temp\poajt.exe

MD5 ce078a712d38c78b54e349c3261ced4b
SHA1 4d615a6dcc7025535d0e9f0720de9f993b644f39
SHA256 0112d97a93db770f735e459e60e2d1f0a091a81adaec8c2d00098e1d72ee4b3f
SHA512 8ba8c01f4a4ba2af336f6c5b25619ca62b368d0d8421f49b08f908fb69f6fba3c0f4e6fbb32b58d93c0bd39f832c0428daa2e66ea3ad6399bfe7ad60bb49b8ed

memory/2704-26-0x00000000036A0000-0x0000000003739000-memory.dmp

memory/764-31-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2704-30-0x0000000000B50000-0x0000000000BD1000-memory.dmp

memory/764-29-0x0000000001250000-0x00000000012E9000-memory.dmp

memory/764-32-0x0000000001250000-0x00000000012E9000-memory.dmp

memory/764-37-0x0000000000020000-0x0000000000022000-memory.dmp

memory/764-36-0x0000000001250000-0x00000000012E9000-memory.dmp

memory/764-38-0x0000000001250000-0x00000000012E9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-14 05:15

Reported

2024-10-14 05:17

Platform

win10v2004-20241007-en

Max time kernel

119s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\sacya.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\sacya.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\sacya.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tokur.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2800 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\sacya.exe
PID 2800 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\sacya.exe
PID 2800 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Users\Admin\AppData\Local\Temp\sacya.exe
PID 2800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 2800 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe C:\Windows\SysWOW64\cmd.exe
PID 4008 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\sacya.exe C:\Users\Admin\AppData\Local\Temp\tokur.exe
PID 4008 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\sacya.exe C:\Users\Admin\AppData\Local\Temp\tokur.exe
PID 4008 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\sacya.exe C:\Users\Admin\AppData\Local\Temp\tokur.exe

Processes

C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe

"C:\Users\Admin\AppData\Local\Temp\42f1a42c51329e2b5eec05e5d5136ea4f9dc1c898d92e7d9b72bb2b398e6ef49N.exe"

C:\Users\Admin\AppData\Local\Temp\sacya.exe

"C:\Users\Admin\AppData\Local\Temp\sacya.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\tokur.exe

"C:\Users\Admin\AppData\Local\Temp\tokur.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
KR 218.54.31.226:11300 tcp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
KR 218.54.31.166:11300 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
JP 133.242.129.155:11300 tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

memory/2800-0-0x00000000005F0000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sacya.exe

MD5 d17fe14b083357ca12e750f799e0b329
SHA1 f3de432d9ec2ef5043c3603d588c1e4f9f60d350
SHA256 49b02d9946698c8dde1d17201227669e3af2adaee350f761e971922fc65c1449
SHA512 348c4bc67f58afdaee0fba0d5a87b69855931082c0c015284dfae17b68fed5d840566da2f804ec2683ba24dbce55b9c753b7297cc0ece09ca73830fc6093c7c6

memory/4008-12-0x0000000000620000-0x00000000006A1000-memory.dmp

memory/2800-14-0x00000000005F0000-0x0000000000671000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 130d92eaa9d32bcef99a054df40b4433
SHA1 4dafd76248f909e1529854f17d8949454502f2a7
SHA256 37d3dd052dc0165b2bbf944179407d4288d6116990ed20201816ddabb7daa579
SHA512 15fbf2cface17eaf09d2b7b35d9308bf974296bd761aa1008623174222e5caf2c86bae3495a9b968d26c6c9a364acb60b3df5153a46fd4ba648d3d7c4f06b9fa

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 25467732c72f33e143df206864ac2161
SHA1 a2464b36df9ba8f5ce3a7c8e9c7212a0d023267a
SHA256 666279b0bcdada79551effcbf5266a7bec4d7f674defcf24d68b10a250f320df
SHA512 4337d776138e05d35eac45b42e0e89f3afaf107a4ec554cdd0a2f8cc46c7747167e8d150c8a18a8ce368148816bdac21b3365e1184815033aa811ac30197e498

memory/4008-17-0x0000000000620000-0x00000000006A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tokur.exe

MD5 377d84de4be1f811d454271b6c81afb0
SHA1 8f07a26c12d8fbc1714d119a3a8b647433b86d40
SHA256 0e86b712170338e3fca626e186e3f78602ec38c2f0785cbe8a631ccc8fa6312f
SHA512 59e3f7b2badd4706424cfb8159b20bd2f82c73112894cbf562da6a9b9c92a2b08fe3503cb3f48dc07d5d86a8c48168faa9cec6377c3717fa01157be6e242ab88

memory/1040-27-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1040-26-0x0000000000820000-0x00000000008B9000-memory.dmp

memory/1040-28-0x0000000000820000-0x00000000008B9000-memory.dmp

memory/4008-31-0x0000000000620000-0x00000000006A1000-memory.dmp

memory/1040-34-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1040-33-0x0000000000820000-0x00000000008B9000-memory.dmp

memory/1040-35-0x0000000000820000-0x00000000008B9000-memory.dmp