Analysis Overview
SHA256
dab89b47c955df52a614955fb0ceddc3a1e9dcc2bece6a3fb2786b5b03382c8a
Threat Level: Known bad
The file 5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
ASPack v2.12-2.42
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Deletes itself
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 23:40
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 23:39
Reported
2024-05-16 23:42
Platform
win7-20240508-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sinac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\qasuz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\sinac.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\sinac.exe
"C:\Users\Admin\AppData\Local\Temp\sinac.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\qasuz.exe
"C:\Users\Admin\AppData\Local\Temp\qasuz.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/1972-0-0x0000000000400000-0x0000000000465000-memory.dmp
\Users\Admin\AppData\Local\Temp\sinac.exe
| MD5 | e295978896ca79c9cf21bf73c0f7ff1e |
| SHA1 | 81df7d11f0a31d9b1ecc3921e65c8ede4b158de5 |
| SHA256 | e650f63e1eac38b6c97dd33bbcb0e033fca122a4be86de536e14b7d219c16437 |
| SHA512 | 1c1aff84974d0e1de818820d24cf72ecc5d65f7f38ea06254c0e0ad1ba346939914896358dbbfcbfd9f7b8cfcea4a485a4c40edcbf43890693815764989aa2da |
memory/2944-13-0x0000000000400000-0x0000000000465000-memory.dmp
memory/1972-12-0x00000000029E0000-0x0000000002A45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e82068fc3ee5bf5feba4bd4b47052ff1 |
| SHA1 | 1f49da3c1aa032d09803e080dd3e27d3357654ca |
| SHA256 | 336599109229c9da2945dd8cb63706756d165f6fc0ff75714a89e711bf70b482 |
| SHA512 | 34e3037792367563102ed49b4f9165516f2e523177711612164a3114dc2674b476b2a35b3dac3d07bee0f1f090ed20893f2ede96acbadf46f8c4f7bc05ecf993 |
memory/1972-21-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 65eaa052e50017b88d9ddcc45f0134f2 |
| SHA1 | 6e1651e6fa3d46591a921718fc1cfa8d42dc5371 |
| SHA256 | ed15c71e199ed1b290c4be4147bae73a7e87b4352dcd5803f0fc2c3bfbd60c71 |
| SHA512 | a824c10c684016a1808b438309991ff13992b177478d99f9793b01f17645fea6751e149255649ea2520813e5cca400b36ec4ce924cc8109a50118a01fad6c2e1 |
\Users\Admin\AppData\Local\Temp\qasuz.exe
| MD5 | f4aa6a528dbbec938fea9ebcb35ce67f |
| SHA1 | aa4f35bec2387a368dfb13a75c06ce28569db0b1 |
| SHA256 | 84e1310a77fe94c7bf0702003b1c1af2d2d76dd0b5b1108be675947c8ca03861 |
| SHA512 | 4d065fb7d4213ccf13778fb97b4dd8e4b3ec0dfa8a034c986a840a23ff7d1d66ee74b452a5a723561625bfa1d25180601d199612da52f8bb9d31d00527a557f3 |
memory/1144-33-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-35-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-34-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-32-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/2944-31-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2944-28-0x0000000003150000-0x00000000031E4000-memory.dmp
memory/1144-37-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-38-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-39-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-40-0x00000000008F0000-0x0000000000984000-memory.dmp
memory/1144-41-0x00000000008F0000-0x0000000000984000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 23:39
Reported
2024-05-16 23:42
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\byxuk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\byxuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebkil.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5a18600a4aa1cf3f7d5324762deed100_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\byxuk.exe
"C:\Users\Admin\AppData\Local\Temp\byxuk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\ebkil.exe
"C:\Users\Admin\AppData\Local\Temp\ebkil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2900-0-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\byxuk.exe
| MD5 | 52413f79c688e1bb7afd7d8fa7b29e30 |
| SHA1 | dce947db0a958009950db2dd72725f5b0caa62d2 |
| SHA256 | 3f928e8906d186920febb81b776bca32500b0df94cce7639718d8fe41330a94c |
| SHA512 | 5ac95905f2b3617a67f2885a9c38fd88c4f70dbfa79dc9ac5f948b59bb2999318f817e06d79f8c83c7a5f05df63eb12b711037205bb64b78990f539545c365a6 |
memory/2592-12-0x0000000000400000-0x0000000000465000-memory.dmp
memory/2900-14-0x0000000000400000-0x0000000000465000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | e82068fc3ee5bf5feba4bd4b47052ff1 |
| SHA1 | 1f49da3c1aa032d09803e080dd3e27d3357654ca |
| SHA256 | 336599109229c9da2945dd8cb63706756d165f6fc0ff75714a89e711bf70b482 |
| SHA512 | 34e3037792367563102ed49b4f9165516f2e523177711612164a3114dc2674b476b2a35b3dac3d07bee0f1f090ed20893f2ede96acbadf46f8c4f7bc05ecf993 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6819b85c6cd65de7c5a687a7a6a71bd2 |
| SHA1 | 1ed12e82b98b13ab3e5c3eccaba9c5149454e20b |
| SHA256 | 2029ad4fe7a9919ff280593b94b17ed424eb806c138abea42852537369301161 |
| SHA512 | 1ca2f5f7521a1939677253f11732d9604b90a0f798f064a9b3c6f6365cc29f28237afda683c7339c8f411fcca2e4c1b2c242f486797b7403e2f5a123afbfcea8 |
C:\Users\Admin\AppData\Local\Temp\ebkil.exe
| MD5 | d799b740d13d8786e731d850ed87c117 |
| SHA1 | dec652ad800e9bccc2cf30ee381c2453433805b8 |
| SHA256 | 9b13d3d4f7a334a7bb3a85372bea3b179efc2c2c97f2e87c5212ee877a4f9d0d |
| SHA512 | 4049f3ab2e061d2d25ed04beb440a9b722506c19b6b8764d39954e2cbb444221896dc15ade824753baf7789f775906d0fd0230276b7b2ab7be4110abd89d95a3 |
memory/3148-25-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-27-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/2592-29-0x0000000000400000-0x0000000000465000-memory.dmp
memory/3148-28-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-26-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-31-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-32-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-33-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-34-0x00000000002C0000-0x0000000000354000-memory.dmp
memory/3148-35-0x00000000002C0000-0x0000000000354000-memory.dmp