urelas | 9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9

General

Target

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
Size

321KB
MD5

89a9418d44c300c42d5748bdd3d43ee1
SHA1

c2c8e8a017d1de44de1f19335b6852693f39a857
SHA256

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9
SHA512

26eaa63a388bd9316971f0633b38e1ab22abf0e5bfd626e68decc17e957ef8cccd9ba32924e7cd07bd70cd1216e1f32ed0b6eded8e16e0b166c79f103fb3a774
SSDEEP

6144:PU0USPuHKKAsgBZg178Z+Snk6Fpwlw8RmuZSz8VdPbMK95BL7jGjFUHpJ+MBx:2SPXSzJSk6FpwlzmupVdjx5B/mFYJ+c

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ryped.exe9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	ryped.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe

Executes dropped EXE 2 IoCs

Processes:

ryped.exegizym.exe

pid process

2092 ryped.exe
2300 gizym.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2092	ryped.exe
2300	gizym.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

gizym.exe

pid	process
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe
2300	gizym.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exeryped.exe

description	pid	process	target process
PID 1424 wrote to memory of 2092	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	ryped.exe
PID 1424 wrote to memory of 2092	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	ryped.exe
PID 1424 wrote to memory of 2092	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	ryped.exe
PID 1424 wrote to memory of 2992	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 1424 wrote to memory of 2992	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 1424 wrote to memory of 2992	1424	9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe	cmd.exe
PID 2092 wrote to memory of 2300	2092	ryped.exe	gizym.exe
PID 2092 wrote to memory of 2300	2092	ryped.exe	gizym.exe
PID 2092 wrote to memory of 2300	2092	ryped.exe	gizym.exe

C:\Users\Admin\AppData\Local\Temp\9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe
"C:\Users\Admin\AppData\Local\Temp\9958846ce07a346f9f6e0ac00c48ced3ac057d927a170cf2ae82c7b9051114d9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\ryped.exe
"C:\Users\Admin\AppData\Local\Temp\ryped.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\gizym.exe
"C:\Users\Admin\AppData\Local\Temp\gizym.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
2⤵
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
b9e68af5859ed8d9a741221472c859ba

SHA1
8724a5cd8064a4504cedaf4767300f0f73e2b312

SHA256
6baf496a845c18968445341f44406278d7a07e741500540d6aaee6bbe64b9f3e

SHA512
5bbcd37c56a67ab3f9986eb0d364864ea7ba8ff20699f45d1f9a43ea319750078cdf3f2e74ff73417069b45c332a57e08e8ef544a3b67ba2f0e456a9cd39bd96

Download Submit
C:\Users\Admin\AppData\Local\Temp\gizym.exe

Filesize
186KB

MD5
7ff8897ebf75650826acab58e0a8442d

SHA1
980d10b6223fc8344c6ebda467158411970abc59

SHA256
b1b0cb8a731a25fa6b823ccbfcb403c055630bb50914cfefb7ec6f83e7845e8e

SHA512
cbadfdccdf4b5351d6b648e65be897bcd919c299ee1916cc8ec500cfb216ddaa14447103c62b4edf9605f60cd2457f7eaad51728c2fc7347a8b9a293060dcfe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
4318fb3ba288cedabc8d38f30362cc91

SHA1
4cd14397330ace523d82c2e8f4405e19aaa4bac4

SHA256
c69a8dde7b44dc6ee5a6391a0fa1251b10e9fff7b1d2352ca365e7ca72241d36

SHA512
1863ed802b044dbb5db2acfe0c4e9c43fb3f3496792651e58c72be1cadc796c60ac4cde6d12d5f91202efda2699a9f35d38031854ed1e68e0b95ccf39faeb828

Download Submit
C:\Users\Admin\AppData\Local\Temp\ryped.exe

Filesize
321KB

MD5
9ec183da02286c3d5462c50fd145cd28

SHA1
ba87f87b4f4f2675dd72da3765edacb4c459d638

SHA256
6d48f3049af05ac5f594b57793da788a8885e95c269d5fe7a98c0ca689e2b37b

SHA512
510a591ba8bf2b117d7a39ffe56d66a99c3f36c282f524e22976bffae462e7cac87fcc8a2d79d7c69c3a02f0ad899dddfa533660a28deee76b801fa3fc9b97d6

Download Submit
memory/1424-0-0x00000000008F0000-0x0000000000974000-memory.dmp

Filesize
528KB

Download
memory/1424-2-0x00000000008F0000-0x0000000000974000-memory.dmp

Filesize
528KB

Download
memory/1424-1-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1424-25-0x00000000008F0000-0x0000000000974000-memory.dmp

Filesize
528KB

Download
memory/2092-28-0x0000000000A10000-0x0000000000A94000-memory.dmp

Filesize
528KB

Download
memory/2092-21-0x0000000000A10000-0x0000000000A94000-memory.dmp

Filesize
528KB

Download
memory/2092-17-0x0000000000A10000-0x0000000000A94000-memory.dmp

Filesize
528KB

Download
memory/2092-30-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2092-18-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/2092-50-0x0000000000A10000-0x0000000000A94000-memory.dmp

Filesize
528KB

Download
memory/2300-52-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2300-46-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-51-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-54-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-55-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-56-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-57-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download
memory/2300-58-0x00000000000F0000-0x0000000000186000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads