Analysis Overview
SHA256
1ccb9551382b0b17cf14cc9795a2b8c2b960431ed355d9ae6c9ca6d9127b5804
Threat Level: Known bad
The file 697e6c37318a960d3ee858311962c010_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Executes dropped EXE
Loads dropped DLL
ASPack v2.12-2.42
Deletes itself
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 04:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 04:14
Reported
2024-05-10 04:17
Platform
win7-20240221-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lewyl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\olton.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lewyl.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\lewyl.exe
"C:\Users\Admin\AppData\Local\Temp\lewyl.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\olton.exe
"C:\Users\Admin\AppData\Local\Temp\olton.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2144-0-0x0000000000EB0000-0x0000000001A14000-memory.dmp
memory/2144-10-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2144-38-0x0000000000EB0000-0x0000000001A14000-memory.dmp
memory/2144-36-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2144-34-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2144-31-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2144-29-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2144-26-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2144-24-0x0000000000F30000-0x0000000001308000-memory.dmp
memory/2144-23-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2144-20-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2144-18-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2144-15-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2144-13-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2144-41-0x0000000000EB0000-0x0000000001A14000-memory.dmp
memory/2144-11-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2144-8-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2144-6-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2144-5-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2144-3-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2144-1-0x0000000000140000-0x0000000000141000-memory.dmp
\Users\Admin\AppData\Local\Temp\lewyl.exe
| MD5 | 5e40148cfd5dec1c552d070b3a823cf8 |
| SHA1 | c086efc0cf30d436dfebe99ddff650e61dc717b9 |
| SHA256 | e318eafaabfb7218d9614a2744d97253e72ec650732e01c23a710bc763f7df19 |
| SHA512 | 362912559ff3afa5a09a19039a1bf0570d4d1491e9d7fecc3f3fe4996ea1e3a7542d184d9c8b2b7213552cafaf127a67d504e53bc8ffa62896040c068ad801d2 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3f2267b8601e67f4f35e1af45cf42736 |
| SHA1 | 051322bdac359402985504687ba8a04a5a22215a |
| SHA256 | 9de381977a34efa286daef39033c659a690409e8b9e18eb0e8bf55a4b4db8f05 |
| SHA512 | 4e3b15b4c06694b9101206e883f0543f3d2f1947b8d9769fb9c4cddcae2ea5750d57bc39a3c6ff0d37a70a17870c3622f47ec8e67bf5cebb86ab17565a585d49 |
memory/2144-50-0x0000000004130000-0x0000000004C94000-memory.dmp
memory/2600-58-0x00000000009F0000-0x0000000001554000-memory.dmp
memory/2144-60-0x0000000000EB0000-0x0000000001A14000-memory.dmp
memory/2144-61-0x0000000000F30000-0x0000000001308000-memory.dmp
memory/2600-82-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2600-87-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2600-85-0x0000000000310000-0x0000000000311000-memory.dmp
memory/2600-102-0x00000000009F0000-0x0000000001554000-memory.dmp
memory/2600-80-0x0000000000300000-0x0000000000301000-memory.dmp
memory/2600-103-0x00000000009F0000-0x0000000001554000-memory.dmp
memory/2600-77-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2600-75-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/2600-72-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2600-70-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2600-67-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2600-65-0x0000000000100000-0x0000000000101000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 35a50122b90be71a7895d8ea1e0accd5 |
| SHA1 | d2d2f4be6b2372e2de1a6e4dcb57954faf9bbe46 |
| SHA256 | 4562c35573ea1dce7793cd4e9bdd549dabd28b82f2efe9ffb020cab1c88d983c |
| SHA512 | d9c30e51ec775ef91e3998e23f9b61d58652d0d16fbed8c873074163cc67450010c1de96352441687c2a0eb5b35f231ae04151c305939be11ce10bf53a0bb443 |
memory/2600-105-0x00000000009F0000-0x0000000001554000-memory.dmp
\Users\Admin\AppData\Local\Temp\olton.exe
| MD5 | cff433c129f815fb41c3c5ef1777ef1c |
| SHA1 | dd90c26630ef97d1e3155bbfcef8c271e6a4d0fe |
| SHA256 | 4795102fec4e6a90f9af41057fb124fd7a3dcb4b6253ac6f9ab4e29c7caf259f |
| SHA512 | 325e9188b6fd0f42734c530607927a78bf2a7a0762d963a0ce1adbe4aa626a4fd3ec6d29c515956c661120d83047f39a6cfb27c433b35ec68bdf1216f03735ab |
memory/2248-113-0x0000000000A00000-0x0000000000A9E000-memory.dmp
memory/2600-111-0x0000000003E30000-0x0000000003ECE000-memory.dmp
memory/2600-117-0x00000000009F0000-0x0000000001554000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\lewyl.exe
| MD5 | 01fdc21caccb35a410f7876bb17559e9 |
| SHA1 | eda547e06226f76140df48e2d14b52d905ab7731 |
| SHA256 | 0e7c6f8ed28815cfda7893594967bc0567411ab3eb1342fc2adef5fcf5fcb0b8 |
| SHA512 | 56e3a70215df4670c7c840fd951d52d4777859450c3f15d3deb1e77800d41561bfb2c1b27e8592ca0f8f3b793abd65b081a97bd4e1ae38ac4ccf76c3a5fe07ba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 04:14
Reported
2024-05-10 04:17
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
107s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\liuqe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\liuqe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zewox.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\697e6c37318a960d3ee858311962c010_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\liuqe.exe
"C:\Users\Admin\AppData\Local\Temp\liuqe.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\zewox.exe
"C:\Users\Admin\AppData\Local\Temp\zewox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| BE | 88.221.83.187:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.83.221.88.in-addr.arpa | udp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
Files
memory/5036-0-0x0000000000DB0000-0x0000000001914000-memory.dmp
memory/5036-7-0x0000000000D90000-0x0000000000D91000-memory.dmp
memory/5036-6-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/5036-8-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
memory/5036-5-0x0000000000D70000-0x0000000000D71000-memory.dmp
memory/5036-4-0x0000000000E30000-0x0000000001208000-memory.dmp
memory/5036-3-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/5036-13-0x0000000000DB0000-0x0000000001914000-memory.dmp
memory/5036-2-0x0000000000660000-0x0000000000661000-memory.dmp
memory/5036-1-0x0000000000650000-0x0000000000651000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\liuqe.exe
| MD5 | 3c52aaaeeea422c9eea7877699751560 |
| SHA1 | 5486c1969dd858263c98f2733511a351d9f9d0bb |
| SHA256 | 5dd1114f1e64f0249feaa379bc6a958b9d98202191ad432fa6d065a3460dcad1 |
| SHA512 | 7ffb75e94f37a388e2606e680e4e88463d24aff22c735d08cb43ebaed28fa9e4ac0862662045918be303357926b224d89181dea15e457ab1ab99b78b360bf547 |
memory/5096-26-0x0000000000F30000-0x0000000001A94000-memory.dmp
memory/5036-27-0x0000000000DB0000-0x0000000001914000-memory.dmp
memory/5036-28-0x0000000000E30000-0x0000000001208000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 3f2267b8601e67f4f35e1af45cf42736 |
| SHA1 | 051322bdac359402985504687ba8a04a5a22215a |
| SHA256 | 9de381977a34efa286daef39033c659a690409e8b9e18eb0e8bf55a4b4db8f05 |
| SHA512 | 4e3b15b4c06694b9101206e883f0543f3d2f1947b8d9769fb9c4cddcae2ea5750d57bc39a3c6ff0d37a70a17870c3622f47ec8e67bf5cebb86ab17565a585d49 |
memory/5096-37-0x0000000003150000-0x0000000003151000-memory.dmp
memory/5096-36-0x0000000003140000-0x0000000003141000-memory.dmp
memory/5096-38-0x0000000000F30000-0x0000000001A94000-memory.dmp
memory/5096-35-0x0000000000F10000-0x0000000000F11000-memory.dmp
memory/5096-34-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/5096-33-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/5096-32-0x0000000000FB0000-0x0000000001388000-memory.dmp
memory/5096-31-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/5096-30-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/5096-42-0x0000000000F30000-0x0000000001A94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | ab755e6022413e3d64763ef8d3641edc |
| SHA1 | 5eec093e87f4efc8e67b1d4c7b57b19f3a3c4e6b |
| SHA256 | 8dfc3e9957a5e4dacb7bc78ae234a2d13387eef3ffffbed06e903f29806b9882 |
| SHA512 | f1b1562db6a63dbdce340e3b4574a0eabb7d7c18dfce141d29d57e0e700b8fab13e9bc5ac5f855fa7606f4a90c1b2f65611220a0ddb8bdde6c4fe455dd3616aa |
memory/5096-45-0x0000000000FB0000-0x0000000001388000-memory.dmp
memory/5096-44-0x0000000000F30000-0x0000000001A94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zewox.exe
| MD5 | f6dee7f65298d831b4d4974c1817e643 |
| SHA1 | f967782b4b31925a8f505f5fc4bea916aecc4430 |
| SHA256 | 61063e0b0f8e1480a7254b7ad5495ac43f5912bf9888ae8cacfce12ca256d899 |
| SHA512 | dbb22fd8b57c49855988f9a2854492fe2515909aba24dd34d94dd32675fb32ff9096ef3e3596b50929b44769364ecb134d7eb08e01780ce3eeb268b18a98cc23 |
memory/5096-58-0x0000000000F30000-0x0000000001A94000-memory.dmp
memory/4660-56-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-55-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-54-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/5096-59-0x0000000000FB0000-0x0000000001388000-memory.dmp
memory/4660-57-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-61-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-62-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-63-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-64-0x0000000000990000-0x0000000000A2E000-memory.dmp
memory/4660-65-0x0000000000990000-0x0000000000A2E000-memory.dmp