Malware Analysis Report

2025-01-22 12:24

Sample ID 240516-vzf5caff57
Target e6cdae440bacb549f034f68760e29920_NeikiAnalytics
SHA256 e783c6f0fe78e96f590f3e1345026f0cca66bedf8779f7da118ca6eee5855967
Tags
urelas aspackv2 trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e783c6f0fe78e96f590f3e1345026f0cca66bedf8779f7da118ca6eee5855967

Threat Level: Known bad

The file e6cdae440bacb549f034f68760e29920_NeikiAnalytics was found to be: Known bad.

Malicious Activity Summary

urelas aspackv2 trojan upx

Urelas family

Urelas

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

UPX packed file

Deletes itself

ASPack v2.12-2.42

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-16 17:25

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-16 17:25

Reported

2024-05-16 17:28

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tupof.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ukfooh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tupof.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\azpus.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2252 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tupof.exe
PID 2252 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tupof.exe
PID 2252 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\tupof.exe
PID 2252 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2252 wrote to memory of 4172 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 996 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\tupof.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 996 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\tupof.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 996 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\tupof.exe C:\Users\Admin\AppData\Local\Temp\ukfooh.exe
PID 4564 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\azpus.exe
PID 4564 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\azpus.exe
PID 4564 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Users\Admin\AppData\Local\Temp\azpus.exe
PID 4564 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe
PID 4564 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\ukfooh.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\tupof.exe

"C:\Users\Admin\AppData\Local\Temp\tupof.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\ukfooh.exe

"C:\Users\Admin\AppData\Local\Temp\ukfooh.exe" OK

C:\Users\Admin\AppData\Local\Temp\azpus.exe

"C:\Users\Admin\AppData\Local\Temp\azpus.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
JP 133.242.129.155:11110 tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 88.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2252-0-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tupof.exe

MD5 1caf431469b05a2a62ea9cedaea9d476
SHA1 c036e3d57890bbd446c2cf8e21c9e6c8ecdb4635
SHA256 6ecd35347a7652ade8acc90f4c8910af007226e2cf2a54c8643df6d88299d136
SHA512 3e870d59efbfee798b9dba774fadc9c5a4343b95621e9d5951d2e9e701da0ec0896cd4d7ff0023c41ed5a8540e3246dfd682549af74071f8632a54f65657bec7

memory/996-12-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 12dc537b54a458c69be2d9fcaa724300
SHA1 c65ef562659cac13378cc4813535bd0e0cfaed27
SHA256 e5551526ebaa070984d817fcb0b197063fcf4b6fd24ef64632383bb99a33a697
SHA512 0255c542072f54aff8bbfa6f3e740df95c10a92e7304012c89ee77e1e31d57f9d61549b39a4014811f7354e62a4ee210141c636653b946eb9e0a8c77b4dd502c

memory/2252-16-0x0000000000400000-0x000000000049D000-memory.dmp

memory/996-23-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0823865cb25a7a27db03c604989b529c
SHA1 384032c13c6a5e3ee8b570392ed45db910b0b6f1
SHA256 1f5f19cd6d6edc59a28a3164d0c745b739450347f1ae22b6c550270de1ae6398
SHA512 1b9b9707174bb36542b7f807588bac3e36374241943f51e7b3228eb4ae02de0817fdbed1fdfbc444df4dbe9470c64715cf302b8119e78c74858b5dbc1183f1ff

memory/4564-26-0x0000000000400000-0x000000000049D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\azpus.exe

MD5 7a83913eecc455381632c3b038d13268
SHA1 efcd88fd7a3f3582cd53788c25937e28b869bfe8
SHA256 9b1c6be60b979c10445f3212cea47019682408fbf0bf75de7c9e891827d2f0df
SHA512 d3b7eaf0ce52d92c93aa5e5cbd04ec7c3b5510c550fb4ede199480e3bdf96779a3e397ffc14afb7cb09d90acb0d1f6f37a3357fef536b25eb086dde84d08ca49

memory/1300-40-0x0000000000470000-0x0000000000518000-memory.dmp

memory/4564-43-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1300-41-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-38-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-39-0x0000000000470000-0x0000000000518000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 5a29d1f10053285c2d1f60faae33dfe2
SHA1 6baab06febca88249ee6e9a8a5e644961dd5b834
SHA256 59971e8d793ae473e572e6cf6cbd1d39594bbb28c18ac6ea4e452bdf243e3f4f
SHA512 5d7cbbcb9da7d02a84a4afd67bf0a93410e94aa50d7fde96478aacb4bdad9085ff3ec7435777e090ce4a399d8c9dccbd9e97c4d64eb7c47b6f5075924ec62998

memory/1300-45-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-46-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-47-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-48-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-49-0x0000000000470000-0x0000000000518000-memory.dmp

memory/1300-50-0x0000000000470000-0x0000000000518000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-16 17:25

Reported

2024-05-16 17:27

Platform

win7-20231129-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\buylt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ozevm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\buylt.exe
PID 2916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\buylt.exe
PID 2916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\buylt.exe
PID 2916 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\buylt.exe
PID 2916 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2916 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 3024 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\buylt.exe C:\Users\Admin\AppData\Local\Temp\tufago.exe
PID 3024 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\buylt.exe C:\Users\Admin\AppData\Local\Temp\tufago.exe
PID 3024 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\buylt.exe C:\Users\Admin\AppData\Local\Temp\tufago.exe
PID 3024 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\buylt.exe C:\Users\Admin\AppData\Local\Temp\tufago.exe
PID 2664 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Users\Admin\AppData\Local\Temp\ozevm.exe
PID 2664 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Users\Admin\AppData\Local\Temp\ozevm.exe
PID 2664 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Users\Admin\AppData\Local\Temp\ozevm.exe
PID 2664 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Users\Admin\AppData\Local\Temp\ozevm.exe
PID 2664 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Windows\SysWOW64\cmd.exe
PID 2664 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\tufago.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\e6cdae440bacb549f034f68760e29920_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\buylt.exe

"C:\Users\Admin\AppData\Local\Temp\buylt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

C:\Users\Admin\AppData\Local\Temp\tufago.exe

"C:\Users\Admin\AppData\Local\Temp\tufago.exe" OK

C:\Users\Admin\AppData\Local\Temp\ozevm.exe

"C:\Users\Admin\AppData\Local\Temp\ozevm.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_vslite.bat" "

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

memory/2916-2-0x0000000000400000-0x000000000049D000-memory.dmp

\Users\Admin\AppData\Local\Temp\buylt.exe

MD5 47952e9c3aaa61ac4052aa5efdbc5ca3
SHA1 3c68e6b428d47810d9c53771a9104ab1a66cd253
SHA256 2a0b41d34c23f0e03727592cbff6121dc3f09f5c53dd3f9d772ad9b518f08820
SHA512 bca0447bf4b3748d078bb91e1e931e86d48ff91657ab656114ea9093f2d252726daee7b270a5e5d56d32f6ef295215596203fd07e96c9a1b48e5f0abf48779e0

memory/2916-12-0x0000000002BE0000-0x0000000002C7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 e3cfe7c79a0b1f75bcb59827a6f34b44
SHA1 f17229594a702afc972f6dbeb94efe0002404f28
SHA256 5ce1dc7d671344ad2ab8ec677480e416261da3ecee7b9d1308abb3319cef0b3b
SHA512 b14585e0ab12515bc6e3e0428cd6780cdf8f969ff9b7bab28123fe6a097379a5dd653f9f007a242a57af44f345f8a8b70ca0348ce7613adcce2cf84340559982

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 0823865cb25a7a27db03c604989b529c
SHA1 384032c13c6a5e3ee8b570392ed45db910b0b6f1
SHA256 1f5f19cd6d6edc59a28a3164d0c745b739450347f1ae22b6c550270de1ae6398
SHA512 1b9b9707174bb36542b7f807588bac3e36374241943f51e7b3228eb4ae02de0817fdbed1fdfbc444df4dbe9470c64715cf302b8119e78c74858b5dbc1183f1ff

memory/2916-23-0x0000000000400000-0x000000000049D000-memory.dmp

memory/3024-24-0x0000000000400000-0x000000000049D000-memory.dmp

memory/2664-35-0x0000000000400000-0x000000000049D000-memory.dmp

memory/3024-34-0x00000000035A0000-0x000000000363D000-memory.dmp

memory/3024-33-0x0000000000400000-0x000000000049D000-memory.dmp

memory/3024-37-0x00000000035A0000-0x000000000363D000-memory.dmp

memory/2664-38-0x0000000000400000-0x000000000049D000-memory.dmp

\Users\Admin\AppData\Local\Temp\ozevm.exe

MD5 099e66486be4feb90d8687f723b29493
SHA1 aba5db3c123ec90fd7d6c32598866003a4c75a53
SHA256 538fee3d2ab19ab156ab1e7348f6f2a7a320c2acf1d86547ee90d297b73f8382
SHA512 54914c51e3afbab06d378fa5f0e2dccba059ff4ac8cab202253fb3862c2cf367e2daadb21d895fff2f0fd29c7221b0e0f547bbd6b6143ac504a7e414497f2895

memory/2664-44-0x0000000003B30000-0x0000000003BD8000-memory.dmp

memory/1192-49-0x0000000000EC0000-0x0000000000F68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_vslite.bat

MD5 acff5b9dc0bfa051b1bd9fc89de6b8be
SHA1 d2561b97937f519552d3811171927926afa23d51
SHA256 70b1304ce4bb4977a6554e637d6e400087a751457ef3d53e7816ddc3b7d34372
SHA512 95162ad81d76a6be906d9244f2304118c8bf073218f88f2a7de7e4dbdc6c230d5ac8c527b4c34b951d4ec2245898cd6e5a1ced5236bfc831bc25af8857153524

memory/1192-50-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-57-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-48-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/2664-59-0x0000000000400000-0x000000000049D000-memory.dmp

memory/1192-62-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-63-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-64-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-65-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-66-0x0000000000EC0000-0x0000000000F68000-memory.dmp

memory/1192-67-0x0000000000EC0000-0x0000000000F68000-memory.dmp