Analysis Overview
SHA256
ef34a75ab283b5e9cd79494737d7adec7a8c3ff6de1b7a5ef822c3e248c7a175
Threat Level: Known bad
The file c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 18:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 18:32
Reported
2024-05-09 18:35
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coosr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\quygi.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coosr.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\coosr.exe
"C:\Users\Admin\AppData\Local\Temp\coosr.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\quygi.exe
"C:\Users\Admin\AppData\Local\Temp\quygi.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2100-1-0x0000000000020000-0x0000000000022000-memory.dmp
memory/2100-0-0x0000000000400000-0x0000000000468000-memory.dmp
\Users\Admin\AppData\Local\Temp\coosr.exe
| MD5 | 2c030cc13b40a45d1df945fc2e229f9a |
| SHA1 | 4782cc4ee54bb913120b765cc490ca9958298a3e |
| SHA256 | 66cfea0e4d1b62419af4ba133b27ac63c4c1c03bdcf70751e0660ae1cb46df69 |
| SHA512 | 18649a1fbafc32f9418aad197a8aa70d1518a93a3dc76a38b7b525d81e7dcc538e0dd7f41d10721b0524732754ca3c72d5299cc116d1d2c17b6394eda0603b90 |
memory/2100-7-0x0000000002BC0000-0x0000000002C28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 047d24161264e5cedb18e11bc9866b40 |
| SHA1 | 182a19b4f3c600f082df3adb1fe08401a39fb654 |
| SHA256 | 3d4e989d310ec13bf7529c16779d6b03b7f993698e1a9a9859d9feb2c81e3da0 |
| SHA512 | 8061a6786d01bd695a014e23e819f02086ced2d568242f5881066a990fb9f8247ce5b65c7bbbd9e78f800821974a23b41015f5dbe707699dd428a7f6bfb5231a |
memory/2980-21-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2100-24-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2980-23-0x0000000000020000-0x0000000000022000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 4bb665744943ff7a452869ec1061ca2d |
| SHA1 | dd657ca85f6583c7f469a9628b15eb5e1322b464 |
| SHA256 | 5204b8407a8eb94cbd38a4ab0ef64e8deefd3042f812d2141be2d9ad789cd878 |
| SHA512 | fca9a61534e66a2f894708647d4e38ec3b44db7ca7591490a41ace5fa0af44d96ff45c912106e94138796d80103b170cfd4f3a127be114115b3da3e2d6a5e736 |
memory/2980-27-0x0000000000400000-0x0000000000468000-memory.dmp
\Users\Admin\AppData\Local\Temp\quygi.exe
| MD5 | 9158eb65102ea6890a6012e27010bbdb |
| SHA1 | ff677076a6476eaa0be8e5368ea8cb5cbb31e16f |
| SHA256 | 2674bbf0fafe52cb6f3b1968bf1c6f21b1db1580c68c422797523e7e7119c1e0 |
| SHA512 | e5f99fab4c7ecd6a4931ea3dca76af46f0030e4cc8d6487567f71225238e43537fcc064a47883244992992d2a31011800b3cd5c3e314058c6e4464528a58df87 |
memory/2268-44-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-46-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-45-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2980-43-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2268-47-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-49-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-50-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-51-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-52-0x0000000000E10000-0x0000000000EB2000-memory.dmp
memory/2268-53-0x0000000000E10000-0x0000000000EB2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 18:32
Reported
2024-05-09 18:35
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
92s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ubquq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ubquq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hogoe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\c1dc430310d6e2074a5fbd18f0186750_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\ubquq.exe
"C:\Users\Admin\AppData\Local\Temp\ubquq.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\hogoe.exe
"C:\Users\Admin\AppData\Local\Temp\hogoe.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.232:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.83.221.88.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2216-1-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/2216-0-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ubquq.exe
| MD5 | 81e90082c28e1ef3f1319bfca0fadc61 |
| SHA1 | f954bc3ca0333d9e0bc8774faf28a1278a2b3e3a |
| SHA256 | 72eb4a08de7cba359872fa478fcaf0c3e131643b72b9f2eb252495a36db3428d |
| SHA512 | 6c848aa6007e47d6b5620b41089c2c1c236333e65daea9d84554b134fdd605a59f84efc7c262465ebd3ff5256a4f5515a45643f767608829256ce59c48466c1a |
memory/2776-13-0x00000000001D0000-0x00000000001D2000-memory.dmp
memory/2776-12-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2216-16-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 047d24161264e5cedb18e11bc9866b40 |
| SHA1 | 182a19b4f3c600f082df3adb1fe08401a39fb654 |
| SHA256 | 3d4e989d310ec13bf7529c16779d6b03b7f993698e1a9a9859d9feb2c81e3da0 |
| SHA512 | 8061a6786d01bd695a014e23e819f02086ced2d568242f5881066a990fb9f8247ce5b65c7bbbd9e78f800821974a23b41015f5dbe707699dd428a7f6bfb5231a |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0e9132669622f1eda4cc81646f0ae7cf |
| SHA1 | 35b16d0eac81094d482ed6b40b037baf2cfa727c |
| SHA256 | a595516868c900342b89f426f60db854a27fbea09031743ee00d898a2486d8bb |
| SHA512 | 750d1c264ca08ea6e36f73e20f7171906f600a4e697aca964b77a712c9380cd964c5e5adf6ac3a459d21a819f5832e8e450fcca7b09f46a19ecafaffb55e075a |
memory/2776-19-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\hogoe.exe
| MD5 | 474bbed7ab2241b210a018a58aee0387 |
| SHA1 | 9207d1fb75f6b65f1dd005b429ef39420f50b9f0 |
| SHA256 | 24b67adc85e20025d3b1d7e034b251002d58d6c6193f6aa109bf124a650ff28d |
| SHA512 | 3d8c3eadfe8a514425e95be2d478bd62b9a43d733b0d60e04686ff9ac84644995c072b8021343005a9583ba0278fe52660404a48f3c61dd636bc909f233c92b5 |
memory/2176-36-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-38-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2776-41-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2176-39-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-37-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-43-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-44-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-45-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-46-0x00000000007D0000-0x0000000000872000-memory.dmp
memory/2176-47-0x00000000007D0000-0x0000000000872000-memory.dmp