urelas | 3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272

General

Target

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
Size

516KB
MD5

d200af10617c97ddd4fa9eb866c715ad
SHA1

c3080251af403cc47cb9afa243b838ac11c6214c
SHA256

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272
SHA512

21fe0d992b7c83ed8d2e813cff68918c861ffa65b21ff8a5dc9984f789800db0aa4392ce8a153df3b471c67e5f830754cf81b11b27bb88d96be3cfb167059202
SSDEEP

12288:RyPHijVSuJqu4kw6eDPvjJ81VGqK6GvPN:RuCTq4w6or+GnV

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

C2

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exeronui.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	ronui.exe

Executes dropped EXE 2 IoCs

Processes:

ronui.exehyded.exe

pid process

2240 ronui.exe
1352 hyded.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2240	ronui.exe
1352	hyded.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hyded.exe

pid	process
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe
1352	hyded.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exeronui.exe

description	pid	process	target process
PID 3248 wrote to memory of 2240	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	ronui.exe
PID 3248 wrote to memory of 2240	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	ronui.exe
PID 3248 wrote to memory of 2240	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	ronui.exe
PID 3248 wrote to memory of 3916	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 3248 wrote to memory of 3916	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 3248 wrote to memory of 3916	3248	3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe	cmd.exe
PID 2240 wrote to memory of 1352	2240	ronui.exe	hyded.exe
PID 2240 wrote to memory of 1352	2240	ronui.exe	hyded.exe
PID 2240 wrote to memory of 1352	2240	ronui.exe	hyded.exe

C:\Users\Admin\AppData\Local\Temp\3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe
"C:\Users\Admin\AppData\Local\Temp\3899a4f6b1d7227ce2120f8d25eb74809d6558b4cf95abfc4d2889c9569dc272.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Users\Admin\AppData\Local\Temp\ronui.exe
  "C:\Users\Admin\AppData\Local\Temp\ronui.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Users\Admin\AppData\Local\Temp\hyded.exe
    "C:\Users\Admin\AppData\Local\Temp\hyded.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1352
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:3916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
c2b12902d988ed6ceafbefd0ffbb066b

SHA1
8de7cfb53670e2259c2855d2f3d8bb5cc6bd1d32

SHA256
d01a51ffb5cb09868bb37d5e78852015757de96ea56a2ef4bbb1d6a6d09a937d

SHA512
d0e9f35cde6e50bd64a981feabbdb67b2ff229faf25f2ac04f9cf6351afa9cf559788d0a750f3d5fee847c74333f49a6e0cda89e6214b373580bca64d486a12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
2ea1c476ed2031adcd8fbac49953208f

SHA1
e8c6b47d5d90967df3cd815de34d7a38edd341a9

SHA256
6f10c29719507d2f4fdcf1f15658b6144f541610805207eb04aaed2590f58ab3

SHA512
c19d8f8eb7ef8eac019bc1c30888621aab28c0b55b6b52da084d3ca3b343eda70e12b661fbd15d189c025dfc1aca13789a279adb3128e1e913fb2c8bb27fdbb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\hyded.exe

Filesize
179KB

MD5
40533e4af7cf9085e3398f8078d079fb

SHA1
01c7084a49faf40c1bd58c24507fc45484236cff

SHA256
4f9fe6af355490dab9a7a3556903afbe3d77b344e5b4a01d945ba176f35d4a12

SHA512
62bf437604b3044e7e3159400ccce7531cfc0aef5f21756f3be704119b76cbf7fc6637cc719fcb13b95c07a96f5acb6a1be7c9f9f0e4b521d0c6b36b4ed2f90b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ronui.exe

Filesize
516KB

MD5
37a282ddefbd79595f340ce0916ddc99

SHA1
d2d82cb595780ac96bd10680f304e665055294cd

SHA256
c519a942efddd3bbfc9019e97c4205baef4ca7dff0adeb068f157448faf2f286

SHA512
1fbdc32e32ff8fd30df0d370b46b5e9b874eebfb977cfd5190635ac2593f607462888fd274a4381e524d539156a67a109b6e5e16ca887ae48115464bbc07f532

Download Submit
memory/1352-28-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1352-26-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1352-29-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1352-30-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1352-31-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/1352-32-0x0000000000400000-0x00000000004BF000-memory.dmp

Filesize
764KB

Download
memory/2240-12-0x0000000000FA0000-0x0000000000FD9000-memory.dmp

Filesize
228KB

Download
memory/2240-25-0x0000000000FA0000-0x0000000000FD9000-memory.dmp

Filesize
228KB

Download
memory/3248-14-0x0000000000DA0000-0x0000000000DD9000-memory.dmp

Filesize
228KB

Download
memory/3248-0-0x0000000000DA0000-0x0000000000DD9000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads