Analysis Overview
SHA256
d83280a42178ef10168d9fb9c8e6998807405da862326ad79e0552607e7dd965
Threat Level: Known bad
The file 05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
Urelas
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
ASPack v2.12-2.42
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-18 21:27
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-18 21:27
Reported
2024-05-18 21:30
Platform
win7-20240221-en
Max time kernel
149s
Max time network
125s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zoajd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\josox.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zoajd.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\zoajd.exe
"C:\Users\Admin\AppData\Local\Temp\zoajd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
C:\Users\Admin\AppData\Local\Temp\josox.exe
"C:\Users\Admin\AppData\Local\Temp\josox.exe"
Network
| Country | Destination | Domain | Proto |
| KR | 218.54.31.226:11110 | tcp | |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| JP | 133.242.129.155:11110 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b830dfe2bbc1e11a60060a89d7da3cdd |
| SHA1 | decaaa67e8bbec531e49eaa8e66c40b55401bfe2 |
| SHA256 | a2cb0e108d52c282b2822ff28560b721a002a17089cc2a63f934af44433a1b1b |
| SHA512 | d133f12ced847b961465153e30820dd5216672150a602ebd2a7760462fe5e6c86242a027ada66989b28a686c0795f0cc3b56629803f5e7e9763289aba25a2c84 |
memory/2820-26-0x0000000000080000-0x00000000000FE000-memory.dmp
memory/2816-24-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/2816-23-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/2816-22-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/2816-21-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/2816-13-0x00000000013E0000-0x000000000145E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\zoajd.exe
| MD5 | 7ddce53b745682fe915d67e1e7be997f |
| SHA1 | 06e5fe19c46f11141d79742711f3be0ccd695a55 |
| SHA256 | 800d8db612a3bcca4f983daf62775e230310729472e2832e1b9aca8798929559 |
| SHA512 | c78ec01afb354633d16cca7f4ed612427f2aa517c06d8a95fdea5160ffc885241be481d2a24ead3038574546b4b878107b335ac1779ae1435d8ed2b17e3a7224 |
memory/2820-3-0x0000000000080000-0x00000000000FE000-memory.dmp
memory/2820-4-0x0000000000080000-0x00000000000FE000-memory.dmp
memory/2820-2-0x0000000000080000-0x00000000000FE000-memory.dmp
memory/2820-1-0x0000000000080000-0x00000000000FE000-memory.dmp
memory/2820-0-0x0000000000080000-0x00000000000FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | f9adf1e1f598209e3bb8c4c9e3e45a2d |
| SHA1 | ca17742d047d7def2d256fd95ca65977e6123f63 |
| SHA256 | a4a014fe670493c4c177ca4c2d655bd8555b645a305646ea39f49bb17febce45 |
| SHA512 | 59b65056707d8d277bb99659b950879af8e2161eb4cd8d68470e59407193b64242749dfa6beddd0ca3496cfd64c0337292a53f3f5b03f1c310e2b97a13f43707 |
memory/2816-29-0x00000000013E0000-0x000000000145E000-memory.dmp
\Users\Admin\AppData\Local\Temp\josox.exe
| MD5 | cfb3725c035aaeaf04e3c3652142a243 |
| SHA1 | 30d00d9a676570ad3bb4fc276e7e92900a48e4dd |
| SHA256 | 588dd8e94b1f938a531b1052406db9491f4917867967295361bec460bd25b2fa |
| SHA512 | 9bb02387b1654751c2da8113beeeafcdbd93179dc8c71741ac230d1482df822d4af36a6034f467f8440d49c846a08cfaaa6544f71acafa1a024df3d9f23c041f |
memory/1704-50-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-49-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-47-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/2816-46-0x0000000003460000-0x00000000034F8000-memory.dmp
memory/2816-45-0x00000000013E0000-0x000000000145E000-memory.dmp
memory/1704-48-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-52-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-53-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-54-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-55-0x0000000000A50000-0x0000000000AE8000-memory.dmp
memory/1704-56-0x0000000000A50000-0x0000000000AE8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-18 21:27
Reported
2024-05-18 21:30
Platform
win10v2004-20240226-en
Max time kernel
159s
Max time network
171s
Command Line
Signatures
Urelas
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\kyqig.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2112 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\kyqig.exe |
| PID 2112 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\kyqig.exe |
| PID 2112 wrote to memory of 2448 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Users\Admin\AppData\Local\Temp\kyqig.exe |
| PID 2112 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2112 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 2112 wrote to memory of 3740 | N/A | C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe | C:\Windows\SysWOW64\cmd.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Local\Temp\kyqig.exe
"C:\Users\Admin\AppData\Local\Temp\kyqig.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| KR | 218.54.31.226:11110 | tcp | |
| US | 8.8.8.8:53 | 112.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| KR | 1.234.83.146:11170 | tcp | |
| KR | 218.54.31.165:11110 | tcp | |
| US | 8.8.8.8:53 | 49.192.11.51.in-addr.arpa | udp |
| JP | 133.242.129.155:11110 | tcp |
Files
memory/2112-0-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2112-1-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2112-4-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2112-3-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2112-2-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2112-7-0x00000000009C0000-0x0000000000A3E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\kyqig.exe
| MD5 | ba45811a6642edbaad65a6e77a803905 |
| SHA1 | d24d8b487894e9f94cdd65d6bca6abbcb2926054 |
| SHA256 | 43a4af34f91dbf28c8f241410b1272be5355e40834131032e2cad4ed121e4d51 |
| SHA512 | d728c36f6835e72510540cb3407b106439f2a37ee43847d980a06806d01023e65df6e4e8cb56e06d440a3573c8c33f434438aa085c974213a46487f5b751c8a1 |
memory/2448-18-0x00000000003D0000-0x000000000044E000-memory.dmp
memory/2448-21-0x00000000003D0000-0x000000000044E000-memory.dmp
memory/2448-22-0x00000000003D0000-0x000000000044E000-memory.dmp
memory/2448-20-0x00000000003D0000-0x000000000044E000-memory.dmp
memory/2448-19-0x00000000003D0000-0x000000000044E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini
| MD5 | 0a00edf271dfcfd3ada74203a7fbb571 |
| SHA1 | 02aac5b0230d88eba095254fd868b1d4cf9dc344 |
| SHA256 | cbb1bb9fdab23123efb1c24b2d160ea37dab019735d04231c3f155ca1552a308 |
| SHA512 | 57cc7339adb33bcaa40b7e114ff7f48f62f24397fd2259d30f5bcae14e7258a9a6db9bbd0071e85054b44ac07b707001b3bfc27bfa929232697568235c82c101 |
C:\Users\Admin\AppData\Local\Temp\_uinsey.bat
| MD5 | b830dfe2bbc1e11a60060a89d7da3cdd |
| SHA1 | decaaa67e8bbec531e49eaa8e66c40b55401bfe2 |
| SHA256 | a2cb0e108d52c282b2822ff28560b721a002a17089cc2a63f934af44433a1b1b |
| SHA512 | d133f12ced847b961465153e30820dd5216672150a602ebd2a7760462fe5e6c86242a027ada66989b28a686c0795f0cc3b56629803f5e7e9763289aba25a2c84 |
memory/2112-29-0x00000000009C0000-0x0000000000A3E000-memory.dmp
memory/2448-30-0x00000000003D0000-0x000000000044E000-memory.dmp