Analysis Overview
SHA256
604e4873305c29b900ad2f6307726dde665a69c54bcb00df0c4b82403f098205
Threat Level: Known bad
The file db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Executes dropped EXE
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 12:06
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 12:06
Reported
2024-05-10 12:09
Platform
win7-20240220-en
Max time kernel
149s
Max time network
121s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ijkur.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yqpub.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ijkur.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\ijkur.exe
"C:\Users\Admin\AppData\Local\Temp\ijkur.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\yqpub.exe
"C:\Users\Admin\AppData\Local\Temp\yqpub.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2268-0-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2980-14-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ijkur.exe
| MD5 | 09c984bc42f859a6c456c7a84ffbe74b |
| SHA1 | 2cff3fc42a05d20805de13fbd59eae30c8b1751d |
| SHA256 | 69308496a625f26d7b81a92967ada6ea9fc2738b4571a20b911b8aefdaeaafdb |
| SHA512 | 3954684bb6ca00188b1a15e9241730ec8371f41ce415c087c9993fac7ccfc05c1733eb1c36cfbfec9e2102cec4f7aacf6eb5fd50b5b1a4ebdbe215aa64af4542 |
memory/2268-12-0x0000000002BC0000-0x0000000002C28000-memory.dmp
memory/2268-11-0x0000000002BC0000-0x0000000002C28000-memory.dmp
memory/2268-22-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 767f7cfaad35e21a8867d8a753eea7d3 |
| SHA1 | b62fe2147de17fca026d5a283ec3e13b6a8669d8 |
| SHA256 | a10dd3841802d279970e590b17da1e1078e147fec3633cfdf45f4aca122bb9d5 |
| SHA512 | f59804b3c4d0865d7cd4eae59cda35d2b1e6fdab0d6f70e5cc07dee695ae080a17e4b92ce9aa5e03987f1de68ff47e362cce0f2a6f52f62124a5dbd9a721e689 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 49e9e46c708fb568cd298d22461b3615 |
| SHA1 | f0a580212911dfb0d15f63db116e6c0e9425904d |
| SHA256 | 8812740ade2b1e433d976b0893392c07d63823b78b1f4e8dae437812894d8223 |
| SHA512 | 76c82a8ea9f033449028702bb5fd3967bca4c344ec2bd52d25d06893fc7f9f89143c43f4be773a93b4a3477c8a4fb27c320bd1ee1d3043052e1d0940ab41146f |
\Users\Admin\AppData\Local\Temp\yqpub.exe
| MD5 | 5f762341d3a5126a6b36640941809abf |
| SHA1 | 3e1b77a58f6de2fbbd33f75e198fc77cbaf61aea |
| SHA256 | 115f093489c76339e609d120726f2fb62bd579c576eb86118acf7c1483d5bbf7 |
| SHA512 | 33969b9a72dcdcfa6124cb0bd754a0b9516ffd209d0b10acbae2f64955e56ad296779c9ed16b2be7271d2502e82b429d7f980bddc47667cd7807b285daecfd29 |
memory/2980-31-0x0000000000400000-0x0000000000468000-memory.dmp
memory/2980-30-0x0000000003D90000-0x0000000003E32000-memory.dmp
memory/1040-33-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-35-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-36-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-34-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-38-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-39-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-40-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-41-0x0000000000810000-0x00000000008B2000-memory.dmp
memory/1040-42-0x0000000000810000-0x00000000008B2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 12:06
Reported
2024-05-10 12:09
Platform
win10v2004-20240226-en
Max time kernel
156s
Max time network
164s
Command Line
Signatures
Urelas
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vanam.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4436 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vanam.exe |
| PID 4436 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vanam.exe |
| PID 4436 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\vanam.exe |
| PID 4436 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4436 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 4436 wrote to memory of 3308 | N/A | C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\db2dae2c9dcb4e0ca11c4954d2ac6210_NeikiAnalytics.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1712 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\vanam.exe
"C:\Users\Admin\AppData\Local\Temp\vanam.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.200.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.200.250.142.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 2.173.189.20.in-addr.arpa | udp |
Files
memory/4436-0-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\vanam.exe
| MD5 | a15331e77ed06d6e2a9c2a893d60687b |
| SHA1 | bf13004fd1d02cab5a1963a46deff75fb0de076f |
| SHA256 | 5f4c57636b1a6171984304a49312e7a5d97df691e0f7087c5b084aceea0693c0 |
| SHA512 | 40d9395c111bef7edb467b97eae08e7b40cbbbefa5d6b2f4cd6c29f6908b9d1bb9136b4be0cdadae41f1eadfc93c9c2ab504490c81aafb08a684da93632fc8c1 |
memory/4436-13-0x0000000000400000-0x0000000000468000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | 767f7cfaad35e21a8867d8a753eea7d3 |
| SHA1 | b62fe2147de17fca026d5a283ec3e13b6a8669d8 |
| SHA256 | a10dd3841802d279970e590b17da1e1078e147fec3633cfdf45f4aca122bb9d5 |
| SHA512 | f59804b3c4d0865d7cd4eae59cda35d2b1e6fdab0d6f70e5cc07dee695ae080a17e4b92ce9aa5e03987f1de68ff47e362cce0f2a6f52f62124a5dbd9a721e689 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 404bce4fbcc16ca8eff12dcbdc705641 |
| SHA1 | 32a1e77879a7a2698c8bbe39971fe6b4f65f9b01 |
| SHA256 | e4b06d5e90b69944878f0edfc4470ce247645c1f6f84b411b9163742f993ac1c |
| SHA512 | f864370cfbcd5368c64d00a503bf9b27e90c2808e4d4ac8bd328e1c2a9fb51a6712fef9d891242aec81db0ff67df6017bfbf0ce0c081b46b55e0ebf65565b5c9 |