Analysis Overview
SHA256
54c1e1a863882f3f9d9a755415cdde3a677798bba9bb52e6da2b66383cd4f1f6
Threat Level: Known bad
The file 6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
ASPack v2.12-2.42
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 03:52
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:54
Platform
win7-20240215-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qiisz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coaqp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qiisz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\qiisz.exe
"C:\Users\Admin\AppData\Local\Temp\qiisz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\coaqp.exe
"C:\Users\Admin\AppData\Local\Temp\coaqp.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1288-0-0x0000000000400000-0x0000000000468000-memory.dmp
\Users\Admin\AppData\Local\Temp\qiisz.exe
| MD5 | 666115ccf595912408b9a68003d04614 |
| SHA1 | 15ccc5a2abf323808d5de6ea703ba6a20f2febf0 |
| SHA256 | 1a0f134ca840784398bb1877b38582ead655bc0298aeb74e71910348dcfc7f5f |
| SHA512 | c79204c0624400011986db6e17bdc4373a2ee227e9e2d94b7ea926106bc78d97d2cf3824ae2d9aee7d837770de37de3bf741f63ea9c23f04b270ab8c3261c021 |
memory/1288-6-0x0000000002BD0000-0x0000000002C38000-memory.dmp
memory/2524-13-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 42ab669dee34049a0cbb3800c2377d65 |
| SHA1 | 2f404e556396d902511963dcfb835f44607344c1 |
| SHA256 | 616dca701c4c590d08b99a5c9a0c917a7855e9e651f4026aa008d56f1216ec0d |
| SHA512 | 51b633c8ec3bb93c2815b327ec939aeeb7ee98cdd32ae4d9b5f6c532c8d0d2060104209ef81b5af086a7872fa4784361461576d523918928fcfb531d1e55b2c5 |
memory/1288-21-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0f592a8a065f571ad2652899a53b4ee0 |
| SHA1 | 88704603e3250b13de94e21652a9db1ac3b91045 |
| SHA256 | b54c6a3d0b90a88e0a80f1258e30e7c30b647b0d8ce7820dca1faf95054b6360 |
| SHA512 | 02e9f82bc70dfe1552b1239901be63d8dc1a3440c79474fb1b0b68865ad595e2b84ad59c96c99c316a0e5aaa00de5f3571d7f788cb3f4525f94b803671a4115c |
memory/2524-30-0x0000000000400000-0x0000000000468000-memory.dmp
memory/1796-31-0x0000000000820000-0x00000000008C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\coaqp.exe
| MD5 | 55c211823ae89f6489fbbec0412c5900 |
| SHA1 | a4b3c431b6f08b1df5666a9144ba3129e7c3edf4 |
| SHA256 | 212194bd0c2a6690c4b36bc4d4569ccb0110c4e1b2948c56833b93b4d12b9f53 |
| SHA512 | 9605ed79b7b23c4753a0b8f16e41cca7617830b14e81bc431a525e61e346eab594f9a3fff8e74356e9e825cb32fcfce95fa848d22fd8282e8e921770693dc915 |
memory/1796-33-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-34-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-32-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-36-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-37-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-38-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-39-0x0000000000820000-0x00000000008C2000-memory.dmp
memory/1796-40-0x0000000000820000-0x00000000008C2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 03:52
Reported
2024-05-10 03:54
Platform
win10v2004-20240426-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dukug.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dukug.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ypfue.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6399522a68a3cf170c13bdabc13e4060_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\dukug.exe
"C:\Users\Admin\AppData\Local\Temp\dukug.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ypfue.exe
"C:\Users\Admin\AppData\Local\Temp\ypfue.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
Files
memory/4384-0-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dukug.exe
| MD5 | d3ca338f3fd183dccdf9dbeeca297ae6 |
| SHA1 | 9cbe14c6682d347fb988ff17d219a784e5330cd9 |
| SHA256 | 8fb6b1bd77d36acd40d479f7d6f80d39c9350a891f3dbc83fc4216912d851936 |
| SHA512 | 5ae6c36cfd31e9646510b6de3f5a008d5c9f06ed4fac40ba20251539a378a33505c62e83b861e213983f81c8185ac585957bce67b865d09e6d62fb2e98c3c254 |
memory/1092-12-0x0000000000400000-0x0000000000468000-memory.dmp
memory/4384-14-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 42ab669dee34049a0cbb3800c2377d65 |
| SHA1 | 2f404e556396d902511963dcfb835f44607344c1 |
| SHA256 | 616dca701c4c590d08b99a5c9a0c917a7855e9e651f4026aa008d56f1216ec0d |
| SHA512 | 51b633c8ec3bb93c2815b327ec939aeeb7ee98cdd32ae4d9b5f6c532c8d0d2060104209ef81b5af086a7872fa4784361461576d523918928fcfb531d1e55b2c5 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 1fb0a7145955ab544d3dca672e740a7d |
| SHA1 | 2c6f1bfe743717fb381f9f48e8c7c800e9a70395 |
| SHA256 | 0d7aa92cc2420f9e9a486579fa30fa47125373c5a09c174613f80fbd4307c66b |
| SHA512 | d9f9ea991121b75f86ba93f255381ae65bfceacf67183e56ac887e322ade442940649798fd6c066be71949f3f680aa962dc05f56d8e9f2339e4bb4d836b6addf |
C:\Users\Admin\AppData\Local\Temp\ypfue.exe
| MD5 | 6596a13a3501498b284a862965dcc01e |
| SHA1 | e7623bafb53192340262bab557100c19878ae852 |
| SHA256 | 57aeb853613b0845ed1aef7068315637fea58752173f83f2b9d1594d241d79cb |
| SHA512 | e3175812e446b066843c5b1770a32f52ac44c3fb2a45a9f5e042334d6c0b967e7e4fc796f3599a9eac5228cce70c11bb765d1b78cd108ca5ef465291e5c75237 |
memory/1092-28-0x0000000000400000-0x0000000000468000-memory.dmp
memory/3648-27-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-29-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-26-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-25-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-31-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-32-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-33-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-34-0x0000000000190000-0x0000000000232000-memory.dmp
memory/3648-35-0x0000000000190000-0x0000000000232000-memory.dmp