Analysis Overview
SHA256
e783c6f0fe78e96f590f3e1345026f0cca66bedf8779f7da118ca6eee5855967
Threat Level: Known bad
The file e6cdae440bacb549f034f68760e29920_NeikiAnalytics was found to be: Known bad.
Malicious Activity Summary
Urelas family
Urelas
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
UPX packed file
Deletes itself
ASPack v2.12-2.42
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-16 17:25
Signatures
Urelas family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-16 17:25
Reported
2024-05-16 17:28
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tupof.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ukfooh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tupof.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ukfooh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\azpus.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\tupof.exe
"C:\Users\Admin\AppData\Local\Temp\tupof.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
"C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK
C:\Users\Admin\AppData\Local\Temp\azpus.exe
"C:\Users\Admin\AppData\Local\Temp\azpus.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.152:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2252-0-0x0000000000400000-0x000000000049D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tupof.exe
| MD5 | 1caf431469b05a2a62ea9cedaea9d476 |
| SHA1 | c036e3d57890bbd446c2cf8e21c9e6c8ecdb4635 |
| SHA256 | 6ecd35347a7652ade8acc90f4c8910af007226e2cf2a54c8643df6d88299d136 |
| SHA512 | 3e870d59efbfee798b9dba774fadc9c5a4343b95621e9d5951d2e9e701da0ec0896cd4d7ff0023c41ed5a8540e3246dfd682549af74071f8632a54f65657bec7 |
memory/996-12-0x0000000000400000-0x000000000049D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 12dc537b54a458c69be2d9fcaa724300 |
| SHA1 | c65ef562659cac13378cc4813535bd0e0cfaed27 |
| SHA256 | e5551526ebaa070984d817fcb0b197063fcf4b6fd24ef64632383bb99a33a697 |
| SHA512 | 0255c542072f54aff8bbfa6f3e740df95c10a92e7304012c89ee77e1e31d57f9d61549b39a4014811f7354e62a4ee210141c636653b946eb9e0a8c77b4dd502c |
memory/2252-16-0x0000000000400000-0x000000000049D000-memory.dmp
memory/996-23-0x0000000000400000-0x000000000049D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0823865cb25a7a27db03c604989b529c |
| SHA1 | 384032c13c6a5e3ee8b570392ed45db910b0b6f1 |
| SHA256 | 1f5f19cd6d6edc59a28a3164d0c745b739450347f1ae22b6c550270de1ae6398 |
| SHA512 | 1b9b9707174bb36542b7f807588bac3e36374241943f51e7b3228eb4ae02de0817fdbed1fdfbc444df4dbe9470c64715cf302b8119e78c74858b5dbc1183f1ff |
memory/4564-26-0x0000000000400000-0x000000000049D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\azpus.exe
| MD5 | 7a83913eecc455381632c3b038d13268 |
| SHA1 | efcd88fd7a3f3582cd53788c25937e28b869bfe8 |
| SHA256 | 9b1c6be60b979c10445f3212cea47019682408fbf0bf75de7c9e891827d2f0df |
| SHA512 | d3b7eaf0ce52d92c93aa5e5cbd04ec7c3b5510c550fb4ede199480e3bdf96779a3e397ffc14afb7cb09d90acb0d1f6f37a3357fef536b25eb086dde84d08ca49 |
memory/1300-40-0x0000000000470000-0x0000000000518000-memory.dmp
memory/4564-43-0x0000000000400000-0x000000000049D000-memory.dmp
memory/1300-41-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-38-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-39-0x0000000000470000-0x0000000000518000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 5a29d1f10053285c2d1f60faae33dfe2 |
| SHA1 | 6baab06febca88249ee6e9a8a5e644961dd5b834 |
| SHA256 | 59971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f |
| SHA512 | 5d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998 |
memory/1300-45-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-46-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-47-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-48-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-49-0x0000000000470000-0x0000000000518000-memory.dmp
memory/1300-50-0x0000000000470000-0x0000000000518000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-16 17:25
Reported
2024-05-16 17:27
Platform
win7-20231129-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buylt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tufago.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ozevm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buylt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\buylt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tufago.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\buylt.exe
"C:\Users\Admin\AppData\Local\Temp\buylt.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
C:\Users\Admin\AppData\Local\Temp\tufago.exe
"C:\Users\Admin\AppData\Local\Temp\tufago.exe" OK
C:\Users\Admin\AppData\Local\Temp\ozevm.exe
"C:\Users\Admin\AppData\Local\Temp\ozevm.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2916-2-0x0000000000400000-0x000000000049D000-memory.dmp
\Users\Admin\AppData\Local\Temp\buylt.exe
| MD5 | 47952e9c3aaa61ac4052aa5efdbc5ca3 |
| SHA1 | 3c68e6b428d47810d9c53771a9104ab1a66cd253 |
| SHA256 | 2a0b41d34c23f0e03727592cbff6121dc3f09f5c53dd3f9d772ad9b518f08820 |
| SHA512 | bca0447bf4b3748d078bb91e1e931e86d48ff91657ab656114ea9093f2d252726daee7b270a5e5d56d32f6ef295215596203fd07e96c9a1b48e5f0abf48779e0 |
memory/2916-12-0x0000000002BE0000-0x0000000002C7D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | e3cfe7c79a0b1f75bcb59827a6f34b44 |
| SHA1 | f17229594a702afc972f6dbeb94efe0002404f28 |
| SHA256 | 5ce1dc7d671344ad2ab8ec677480e416261da3ecee7b9d1308abb3319cef0b3b |
| SHA512 | b14585e0ab12515bc6e3e0428cd6780cdf8f969ff9b7bab28123fe6a097379a5dd653f9f007a242a57af44f345f8a8b70ca0348ce7613adcce2cf84340559982 |
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | 0823865cb25a7a27db03c604989b529c |
| SHA1 | 384032c13c6a5e3ee8b570392ed45db910b0b6f1 |
| SHA256 | 1f5f19cd6d6edc59a28a3164d0c745b739450347f1ae22b6c550270de1ae6398 |
| SHA512 | 1b9b9707174bb36542b7f807588bac3e36374241943f51e7b3228eb4ae02de0817fdbed1fdfbc444df4dbe9470c64715cf302b8119e78c74858b5dbc1183f1ff |
memory/2916-23-0x0000000000400000-0x000000000049D000-memory.dmp
memory/3024-24-0x0000000000400000-0x000000000049D000-memory.dmp
memory/2664-35-0x0000000000400000-0x000000000049D000-memory.dmp
memory/3024-34-0x00000000035A0000-0x000000000363D000-memory.dmp
memory/3024-33-0x0000000000400000-0x000000000049D000-memory.dmp
memory/3024-37-0x00000000035A0000-0x000000000363D000-memory.dmp
memory/2664-38-0x0000000000400000-0x000000000049D000-memory.dmp
\Users\Admin\AppData\Local\Temp\ozevm.exe
| MD5 | 099e66486be4feb90d8687f723b29493 |
| SHA1 | aba5db3c123ec90fd7d6c32598866003a4c75a53 |
| SHA256 | 538fee3d2ab19ab156ab1e7348f6f2a7a320c2acf1d86547ee90d297b73f8382 |
| SHA512 | 54914c51e3afbab06d378fa5f0e2dccba059ff4ac8cab202253fb3862c2cf367e2daadb21d895fff2f0fd29c7221b0e0f547bbd6b6143ac504a7e414497f2895 |
memory/2664-44-0x0000000003B30000-0x0000000003BD8000-memory.dmp
memory/1192-49-0x0000000000EC0000-0x0000000000F68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_vslite.bat
| MD5 | acff5b9dc0bfa051b1bd9fc89de6b8be |
| SHA1 | d2561b97937f519552d3811171927926afa23d51 |
| SHA256 | 70b1304ce4bb4977a6554e637d6e400087a751457ef3d53e7816ddc3b7d34372 |
| SHA512 | 95162ad81d76a6be906d9244f2304118c8bf073218f88f2a7de7e4dbdc6c230d5ac8c527b4c34b951d4ec2245898cd6e5a1ced5236bfc831bc25af8857153524 |
memory/1192-50-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-57-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-48-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/2664-59-0x0000000000400000-0x000000000049D000-memory.dmp
memory/1192-62-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-63-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-64-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-65-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-66-0x0000000000EC0000-0x0000000000F68000-memory.dmp
memory/1192-67-0x0000000000EC0000-0x0000000000F68000-memory.dmp