Analysis Overview
SHA256
af80d19544a9442d4bb599c457cc0586e76f47eec02a001e82926274153d904d
Threat Level: Known bad
The file dece925b4bdce9278b217c2d701bb520_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Deletes itself
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-10 12:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-10 12:21
Reported
2024-05-10 12:24
Platform
win7-20240508-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avzus.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ybosl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\avzus.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\avzus.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\avzus.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\avzus.exe
"C:\Users\Admin\AppData\Local\Temp\avzus.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\ybosl.exe
"C:\Users\Admin\AppData\Local\Temp\ybosl.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 121.88.5.183:11120 | tcp | |
| KR | 121.88.5.184:11170 | tcp | |
| KR | 218.54.30.235:11120 | tcp |
Files
memory/1640-0-0x00000000011C0000-0x0000000001242000-memory.dmp
memory/1640-1-0x0000000000230000-0x0000000000232000-memory.dmp
\Users\Admin\AppData\Local\Temp\avzus.exe
| MD5 | 85ad0bc33c6575819a1a1f43699818b8 |
| SHA1 | 7aa75569fc31ea79703cdd03e44cfe7fdf199305 |
| SHA256 | 0b21bba16766be0d23f2ea27001e334873484647a4b95f0bf61638a7eb6a0cea |
| SHA512 | 69c29c17f721bad3949b00d009e41945d83348b7b8feaf344f8173eae22272e6a227c23f79f1a6acee50be3ee6a7bb2ba946e336cff8194af2a55a38767c1de8 |
memory/2344-21-0x0000000000180000-0x0000000000182000-memory.dmp
memory/1640-20-0x00000000011C0000-0x0000000001242000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 4eb98daad741325e710697d08e06753a |
| SHA1 | 6cea31d2c7d1f036e609331d7d155218ca6b78d9 |
| SHA256 | e87d0f8f9e33f6b293f2c5a7bb8515eafe4549e990277591839a8e1792537adb |
| SHA512 | c6d181b7ebf82e6c223ea53764f3904f7937c1d4b782e1908427322bd30dac1e1df1ac187a7a548a80057833de09e19659ffdc85af1812f241fb730aca2f0855 |
memory/2344-12-0x0000000000030000-0x00000000000B2000-memory.dmp
memory/1640-10-0x0000000002CD0000-0x0000000002D52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 5f186f4d863b9848a825b9a17b15572d |
| SHA1 | 9d193ec1735a563892b68a65020722d224aa5b9c |
| SHA256 | fbe102ddcd9719f15b16166966c44685226079dedf6758067d9e84a3eeecde57 |
| SHA512 | 292602573461c8f8c0f6550ed64ada21cc767226b7ec26342e137199f5e9cf318bf7b9fd04945d3555b725a5d66eaa850850cfc5733f87635f90cc097a50366c |
memory/2344-24-0x0000000000030000-0x00000000000B2000-memory.dmp
\Users\Admin\AppData\Local\Temp\ybosl.exe
| MD5 | 516fbe4266e9613b3d4d97d0c5145d91 |
| SHA1 | a24af3cf4ffaab8e81fb8b6eb231780e0da0aba2 |
| SHA256 | f1ae5db2bcf6d4589c79c5c5bcbd0497508012d6d81255da8c646044d922b77f |
| SHA512 | c0b7fae5a3506f7ac99a3de2446473d812a66220bfe9c1bc704106076be028176efccff0c9804299135025ffb9ef35582c6d6a864768a7b825db04f8cc9b9fdf |
memory/2344-39-0x0000000000030000-0x00000000000B2000-memory.dmp
memory/2344-36-0x0000000003110000-0x00000000031D8000-memory.dmp
memory/1764-40-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-41-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-43-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-44-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-42-0x0000000000330000-0x00000000003F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\avzus.exe
| MD5 | 2cadfb20a2a638c5cfb0c7ea2dc972c0 |
| SHA1 | e0beba7f5f7a7e99c18de98134f2c9ccd067b725 |
| SHA256 | bb36db7d29e25d69b56d99151f667f904909b57b8ce8cab6e068f72b3d011694 |
| SHA512 | 254ecb005c5e0202050db3fb9e35002657b7f49c729ecb59e7f8f850daa6107d3e94b2d9de9ca3276d1fd7bd8c5bc44e4e182aa394751002d0a1c69b3e277da6 |
memory/1764-47-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-48-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-49-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-50-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-51-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-52-0x0000000000330000-0x00000000003F8000-memory.dmp
memory/1764-53-0x0000000000330000-0x00000000003F8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-10 12:21
Reported
2024-05-10 12:24
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
100s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\peelj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\peelj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cavuh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\peelj.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\peelj.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\dece925b4bdce9278b217c2d701bb520_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\peelj.exe
"C:\Users\Admin\AppData\Local\Temp\peelj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_sannuy.bat" "
C:\Users\Admin\AppData\Local\Temp\cavuh.exe
"C:\Users\Admin\AppData\Local\Temp\cavuh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| KR | 121.88.5.183:11120 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| KR | 121.88.5.184:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| KR | 218.54.30.235:11120 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 2.17.196.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.196.17.2.in-addr.arpa | udp |
| BE | 2.17.196.107:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/468-0-0x0000000000F30000-0x0000000000FB2000-memory.dmp
memory/468-1-0x0000000000C20000-0x0000000000C22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\peelj.exe
| MD5 | 676e07e2dfe6fdb994ca1dc1a105ff7d |
| SHA1 | d11806dd213ca11a66acc5083a3f921c7df8682c |
| SHA256 | f20bacd7b0578f7ebdfc8f30815ee8a0b9b09653fbfac972d89fe20b3158f3f9 |
| SHA512 | 368b5974eeef235b0d7b52aa72526d6c147cfe374a155573d32b80ad7d282e53c699b355bed40c4213d04e419d834d79e4241e6704c6036f637b194ac23fa8b1 |
memory/1076-14-0x0000000000860000-0x0000000000862000-memory.dmp
memory/1076-13-0x0000000000900000-0x0000000000982000-memory.dmp
memory/468-17-0x0000000000F30000-0x0000000000FB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_sannuy.bat
| MD5 | 4eb98daad741325e710697d08e06753a |
| SHA1 | 6cea31d2c7d1f036e609331d7d155218ca6b78d9 |
| SHA256 | e87d0f8f9e33f6b293f2c5a7bb8515eafe4549e990277591839a8e1792537adb |
| SHA512 | c6d181b7ebf82e6c223ea53764f3904f7937c1d4b782e1908427322bd30dac1e1df1ac187a7a548a80057833de09e19659ffdc85af1812f241fb730aca2f0855 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 89d979397e8f0e1cf0c8ae65c422a28a |
| SHA1 | 2162e5942126a5939cfd2c2489be00b3cfb146d7 |
| SHA256 | 87865c63012942d024b700a6eb719eef9f230654a4f478391303a45a8bbc37f2 |
| SHA512 | 075576573d658eb77de252eab9ac9eda9d21d6c78492a5f985b299f30e6aa6ba2cbd160738b60fbf98dd42fe8b510f24adf1f938d1edc774e54ed0c9465e7fb8 |
memory/1076-20-0x0000000000900000-0x0000000000982000-memory.dmp
memory/1076-22-0x0000000000860000-0x0000000000862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cavuh.exe
| MD5 | d4f91b6db6d70abc9e5af9a6e5cbdd66 |
| SHA1 | 2a3157b07901e67ab8d5a55bb6694e6191d45443 |
| SHA256 | 0b68ef62f49393bf261f0b72cc2a24b9c437f0c19d584b3b5991efc3cf6fd1c8 |
| SHA512 | 2a499251e381707647fa1d2fc1dfd836e4f78d4068add2cd3101a503f7e85a5e6eec51c8e5d8a04631093bfb5b1ce45ce3346d62a838beee482ce838c9d6c1be |
memory/4988-37-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/1076-36-0x0000000000900000-0x0000000000982000-memory.dmp
memory/4988-40-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-39-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-38-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-41-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-43-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-44-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-45-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-46-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-47-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-48-0x0000000000A90000-0x0000000000B58000-memory.dmp
memory/4988-49-0x0000000000A90000-0x0000000000B58000-memory.dmp