Analysis Overview
SHA256
5f0bc350b5a7f4bb23b518a3674d7a4a731c6bfdfa0cab0f149ddd8565e92f6c
Threat Level: Known bad
The file da38401f466916b9b1fad24d2628e560_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas
Urelas family
Deletes itself
ASPack v2.12-2.42
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 10:16
Signatures
Urelas family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 10:16
Reported
2024-05-16 10:18
Platform
win7-20240221-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lyson.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\seyshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afhuz.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lyson.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lyson.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\seyshe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\lyson.exe
"C:\Users\Admin\AppData\Local\Temp\lyson.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\seyshe.exe
"C:\Users\Admin\AppData\Local\Temp\seyshe.exe" OK
C:\Users\Admin\AppData\Local\Temp\afhuz.exe
"C:\Users\Admin\AppData\Local\Temp\afhuz.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2964-0-0x0000000000400000-0x0000000000460000-memory.dmp
\Users\Admin\AppData\Local\Temp\lyson.exe
| MD5 | 9ec569aaee1eb60d5e0a5228a7a719e3 |
| SHA1 | 30d40b996786e09998dd39313deafe3f4e237418 |
| SHA256 | 764f83336894a4b2509abba114f4134f3847b153a873c647ec9ad6efac0eee10 |
| SHA512 | 652c804305555819db1cfcfd12ebb84b41b0c92ad6c79fc66a05dcc453aa74888039834a0767e588e35513374ba8f98f1971bd2036adaa5921cf0da008240dc2 |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 65ec518d859f428da88baf44e8ea3a13 |
| SHA1 | 0935e6eebd910b57e3625017211013bb62c3f523 |
| SHA256 | 89e077ddcbd1347c5f47bc422517cbb0f883bf4dc89b514ff3987c22b976edd1 |
| SHA512 | d07bb56ea73ac9f0d0d93efca473afd7a56e9563f8a6cb24bd494fc77e7314f56c3078685ca7c00d037dd5d306d64a45b765212755892b535dd528a22ea44760 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | b0ea948c370acb40d26aea807d4fea21 |
| SHA1 | b76acfdd09d4f7276e68414b1efc2686c89c546b |
| SHA256 | 72fe00a86a95404247763982b8f6086e93886fb118b068567e03460f8a868055 |
| SHA512 | 2bc8df94b22c43d77f1eb516c01dd837a57c161823af8096ffa5c5dc885d5da4821faaf06931873a17c8febee51d364a2274d9ca005ad4c01fea7a782ccf8ed2 |
\Users\Admin\AppData\Local\Temp\afhuz.exe
| MD5 | b3a355ab001ab50c337513c70eaf2304 |
| SHA1 | c8b2e36a0de12e9842f9c5ca4c5c452ec5e6ef34 |
| SHA256 | 1a08def20c99aa9bb136a6c1a370f14cecfa8e4af2e81ca85e4676026fea2e91 |
| SHA512 | 25ca3c00e0a0665b8e43db90b7f430b703918343a6c817956d74770e57e7ab934a9733a0608e515717f6a6f7c269599574228ded80e9d34310cc43faccca2887 |
memory/860-44-0x00000000002A0000-0x0000000000348000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | cb6f862baabf073eab7783dd54ac73ce |
| SHA1 | e02d1d39cdf8f8b0e1978b137ede7d0ce77ff636 |
| SHA256 | 8e20c83d3ea79852ed968dfb34ee009ab7e5d672eab092ab36c981a28ae080a1 |
| SHA512 | c799bb1229a6e046c9ee90a099f2022ac1fd244042a69936fe3eaa0e13ab308d59f54a5ebfe2b6731fafd5604a211ba3c2270129aac7cafebfe0a28903996302 |
memory/860-45-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-43-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-42-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/1280-41-0x0000000003B00000-0x0000000003BA8000-memory.dmp
memory/860-55-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-56-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-57-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-58-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-59-0x00000000002A0000-0x0000000000348000-memory.dmp
memory/860-60-0x00000000002A0000-0x0000000000348000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 10:16
Reported
2024-05-16 10:18
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\xotyk.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\niquiz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xotyk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\niquiz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pikuj.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\da38401f466916b9b1fad24d2628e560_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\xotyk.exe
"C:\Users\Admin\AppData\Local\Temp\xotyk.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\niquiz.exe
"C:\Users\Admin\AppData\Local\Temp\niquiz.exe" OK
C:\Users\Admin\AppData\Local\Temp\pikuj.exe
"C:\Users\Admin\AppData\Local\Temp\pikuj.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| BE | 88.221.83.200:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.53.16.96.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 215.143.182.52.in-addr.arpa | udp |
Files
memory/3596-0-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\xotyk.exe
| MD5 | 9132d11af1b63b0e5b8fe5f4d3d25726 |
| SHA1 | f080fee02ac0a60cac47ec68eed266c6128410a2 |
| SHA256 | 4dcd567a6989003d1f0cb4ff826d5997f327aa44ecb35b0f9af372013b143cda |
| SHA512 | ea31862dcedfd47c1c70f1a916b66659432a6dfa340c24384565d7f37b04c7529b8692ed792cb98f45abf0ae356352e4b5d4f9681f4216ea9c7cdfdc14d4074c |
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 6257716b78899e2197f9f8bddd8cfdf0 |
| SHA1 | 611e94dcf38b9ff0b8c99c090cf2dee76ffded8b |
| SHA256 | 9a1a575cc0aee3669d700f5e27c1ed49e7b5595cca2b55bda59364d9e3f24036 |
| SHA512 | d4acd041bcb0b3ec05f83bbd4b8df8a9078dc82c3b90f330d2aa4ccda76e694f95cc8b14af828f7aa06ca57fa0c7bfbb8f17376e5ec37c39facd680c748198ec |
memory/2068-11-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | b0ea948c370acb40d26aea807d4fea21 |
| SHA1 | b76acfdd09d4f7276e68414b1efc2686c89c546b |
| SHA256 | 72fe00a86a95404247763982b8f6086e93886fb118b068567e03460f8a868055 |
| SHA512 | 2bc8df94b22c43d77f1eb516c01dd837a57c161823af8096ffa5c5dc885d5da4821faaf06931873a17c8febee51d364a2274d9ca005ad4c01fea7a782ccf8ed2 |
memory/1960-24-0x0000000000400000-0x0000000000460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pikuj.exe
| MD5 | c398387bbbf5bb722abd38f18f41c24d |
| SHA1 | 05d412e276acca21f51db69c8abda72102da4526 |
| SHA256 | a1ece47fa9fccbc0aa50144c84c696e8f856e7c12da6e9c941f848d9b8ab5ca9 |
| SHA512 | 28ab0dfda0b1213515180bc440d6d5a41ea6d23dd1f6fd0be5d26c709d2406511c35bd55e1f31495d4251b94dacf3a415fc0566934ad2d9e9276742c6e5a3a9d |
memory/2380-40-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-39-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-38-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-36-0x0000000000630000-0x00000000006D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | e88f13cde741c5508fe668fd15cd78b4 |
| SHA1 | 098cb00bf1f04e382580dcfffb84a748ea25a886 |
| SHA256 | d067b26a73c27157da02a7efd2ea5ddf80363038ddd50bbd74f8a6814df74cf7 |
| SHA512 | 821a7200290e7e62a95e065ba93bf2c0d3e11fcc34792733fcfef08cddaa1fc5baf44f0f8cfe0705c088874813ec5f8c519d69fcd4a85a0549b000fde990a67b |
memory/2380-42-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-43-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-44-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-45-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-46-0x0000000000630000-0x00000000006D8000-memory.dmp
memory/2380-47-0x0000000000630000-0x00000000006D8000-memory.dmp