Malware Analysis Report

2025-03-15 05:45

Sample ID 240510-n953wsgf95
Target db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics
SHA256 604e4873305c29b900ad2f6307726dde665a69c54bcb00df0c4b82403f098205
Tags
urelas aspackv2 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

604e4873305c29b900ad2f6307726dde665a69c54bcb00df0c4b82403f098205

Threat Level: Known bad

The file db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan

Urelas

Urelas family

Executes dropped EXE

Checks computer location settings

ASPack v2.12-2.42

Deletes itself

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:06

Signatures

Urelas family

urelas

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:06

Reported

2024-05-10 12:09

Platform

win7-20240220-en

Max time kernel

149s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ijkur.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yqpub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\ijkur.exe
PID 2268 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\ijkur.exe
PID 2268 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\ijkur.exe
PID 2268 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\ijkur.exe
PID 2268 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2268 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2980 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\ijkur.exe C:\Users\Admin\AppData\Local\Temp\yqpub.exe
PID 2980 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\ijkur.exe C:\Users\Admin\AppData\Local\Temp\yqpub.exe
PID 2980 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\ijkur.exe C:\Users\Admin\AppData\Local\Temp\yqpub.exe
PID 2980 wrote to memory of 1040 N/A C:\Users\Admin\AppData\Local\Temp\ijkur.exe C:\Users\Admin\AppData\Local\Temp\yqpub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\ijkur.exe

"C:\Users\Admin\AppData\Local\Temp\ijkur.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\yqpub.exe

"C:\Users\Admin\AppData\Local\Temp\yqpub.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2268-0-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2980-14-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ijkur.exe

MD5 09c984bc42f859a6c456c7a84ffbe74b
SHA1 2cff3fc42a05d20805de13fbd59eae30c8b1751d
SHA256 69308496a625f26d7b81a92967ada6ea9fc2738b4571a20b911b8aefdaeaafdb
SHA512 3954684bb6ca00188b1a15e9241730ec8371f41ce415c087c9993fac7ccfc05c1733eb1c36cfbfec9e2102cec4f7aacf6eb5fd50b5b1a4ebdbe215aa64af4542

memory/2268-12-0x0000000002BC0000-0x0000000002C28000-memory.dmp

memory/2268-11-0x0000000002BC0000-0x0000000002C28000-memory.dmp

memory/2268-22-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 767f7cfaad35e21a8867d8a753eea7d3
SHA1 b62fe2147de17fca026d5a283ec3e13b6a8669d8
SHA256 a10dd3841802d279970e590b17da1e1078e147fec3633cfdf45f4aca122bb9d5
SHA512 f59804b3c4d0865d7cd4eae59cda35d2b1e6fdab0d6f70e5cc07dee695ae080a17e4b92ce9aa5e03987f1de68ff47e362cce0f2a6f52f62124a5dbd9a721e689

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 49e9e46c708fb568cd298d22461b3615
SHA1 f0a580212911dfb0d15f63db116e6c0e9425904d
SHA256 8812740ade2b1e433d976b0893392c07d63823b78b1f4e8dae437812894d8223
SHA512 76c82a8ea9f033449028702bb5fd3967bca4c344ec2bd52d25d06893fc7f9f89143c43f4be773a93b4a3477c8a4fb27c320bd1ee1d3043052e1d0940ab41146f

\Users\Admin\AppData\Local\Temp\yqpub.exe

MD5 5f762341d3a5126a6b36640941809abf
SHA1 3e1b77a58f6de2fbbd33f75e198fc77cbaf61aea
SHA256 115f093489c76339e609d120726f2fb62bd579c576eb86118acf7c1483d5bbf7
SHA512 33969b9a72dcdcfa6124cb0bd754a0b9516ffd209d0b10acbae2f64955e56ad296779c9ed16b2be7271d2502e82b429d7f980bddc47667cd7807b285daecfd29

memory/2980-31-0x0000000000400000-0x0000000000468000-memory.dmp

memory/2980-30-0x0000000003D90000-0x0000000003E32000-memory.dmp

memory/1040-33-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-35-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-36-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-34-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-38-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-39-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-40-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-41-0x0000000000810000-0x00000000008B2000-memory.dmp

memory/1040-42-0x0000000000810000-0x00000000008B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:06

Reported

2024-05-10 12:09

Platform

win10v2004-20240226-en

Max time kernel

156s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vanam.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\vanam.exe

"C:\Users\Admin\AppData\Local\Temp\vanam.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 142.250.200.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 10.200.250.142.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 2.173.189.20.in-addr.arpa udp

Files

memory/4436-0-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vanam.exe

MD5 a15331e77ed06d6e2a9c2a893d60687b
SHA1 bf13004fd1d02cab5a1963a46deff75fb0de076f
SHA256 5f4c57636b1a6171984304a49312e7a5d97df691e0f7087c5b084aceea0693c0
SHA512 40d9395c111bef7edb467b97eae08e7b40cbbbefa5d6b2f4cd6c29f6908b9d1bb9136b4be0cdadae41f1eadfc93c9c2ab504490c81aafb08a684da93632fc8c1

memory/4436-13-0x0000000000400000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 767f7cfaad35e21a8867d8a753eea7d3
SHA1 b62fe2147de17fca026d5a283ec3e13b6a8669d8
SHA256 a10dd3841802d279970e590b17da1e1078e147fec3633cfdf45f4aca122bb9d5
SHA512 f59804b3c4d0865d7cd4eae59cda35d2b1e6fdab0d6f70e5cc07dee695ae080a17e4b92ce9aa5e03987f1de68ff47e362cce0f2a6f52f62124a5dbd9a721e689

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 404bce4fbcc16ca8eff12dcbdc705641
SHA1 32a1e77879a7a2698c8bbe39971fe6b4f65f9b01
SHA256 e4b06d5e90b69944878f0edfc4470ce247645c1f6f84b411b9163742f993ac1c
SHA512 f864370cfbcd5368c64d00a503bf9b27e90c2808e4d4ac8bd328e1c2a9fb51a6712fef9d891242aec81db0ff67df6017bfbf0ce0c081b46b55e0ebf65565b5c9