Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-1a43rsge3y
Target 05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe
SHA256 d83280a42178ef10168d9fb9c8e6998807405da862326ad79e0552607e7dd965
Tags
aspackv2 urelas trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d83280a42178ef10168d9fb9c8e6998807405da862326ad79e0552607e7dd965

Threat Level: Known bad

The file 05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

aspackv2 urelas trojan

Urelas

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

ASPack v2.12-2.42

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 21:27

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 21:27

Reported

2024-05-18 21:30

Platform

win7-20240221-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zoajd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\josox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\zoajd.exe
PID 2820 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\zoajd.exe
PID 2820 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\zoajd.exe
PID 2820 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\zoajd.exe
PID 2820 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2820 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\zoajd.exe C:\Users\Admin\AppData\Local\Temp\josox.exe
PID 2816 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\zoajd.exe C:\Users\Admin\AppData\Local\Temp\josox.exe
PID 2816 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\zoajd.exe C:\Users\Admin\AppData\Local\Temp\josox.exe
PID 2816 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\zoajd.exe C:\Users\Admin\AppData\Local\Temp\josox.exe

Processes

C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\zoajd.exe

"C:\Users\Admin\AppData\Local\Temp\zoajd.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

C:\Users\Admin\AppData\Local\Temp\josox.exe

"C:\Users\Admin\AppData\Local\Temp\josox.exe"

Network

Country Destination Domain Proto
KR 218.54.31.226:11110 tcp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
JP 133.242.129.155:11110 tcp

Files

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b830dfe2bbc1e11a60060a89d7da3cdd
SHA1 decaaa67e8bbec531e49eaa8e66c40b55401bfe2
SHA256 a2cb0e108d52c282b2822ff28560b721a002a17089cc2a63f934af44433a1b1b
SHA512 d133f12ced847b961465153e30820dd5216672150a602ebd2a7760462fe5e6c86242a027ada66989b28a686c0795f0cc3b56629803f5e7e9763289aba25a2c84

memory/2820-26-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2816-24-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/2816-23-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/2816-22-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/2816-21-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/2816-13-0x00000000013E0000-0x000000000145E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\zoajd.exe

MD5 7ddce53b745682fe915d67e1e7be997f
SHA1 06e5fe19c46f11141d79742711f3be0ccd695a55
SHA256 800d8db612a3bcca4f983daf62775e230310729472e2832e1b9aca8798929559
SHA512 c78ec01afb354633d16cca7f4ed612427f2aa517c06d8a95fdea5160ffc885241be481d2a24ead3038574546b4b878107b335ac1779ae1435d8ed2b17e3a7224

memory/2820-3-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2820-4-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2820-2-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2820-1-0x0000000000080000-0x00000000000FE000-memory.dmp

memory/2820-0-0x0000000000080000-0x00000000000FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 f9adf1e1f598209e3bb8c4c9e3e45a2d
SHA1 ca17742d047d7def2d256fd95ca65977e6123f63
SHA256 a4a014fe670493c4c177ca4c2d655bd8555b645a305646ea39f49bb17febce45
SHA512 59b65056707d8d277bb99659b950879af8e2161eb4cd8d68470e59407193b64242749dfa6beddd0ca3496cfd64c0337292a53f3f5b03f1c310e2b97a13f43707

memory/2816-29-0x00000000013E0000-0x000000000145E000-memory.dmp

\Users\Admin\AppData\Local\Temp\josox.exe

MD5 cfb3725c035aaeaf04e3c3652142a243
SHA1 30d00d9a676570ad3bb4fc276e7e92900a48e4dd
SHA256 588dd8e94b1f938a531b1052406db9491f4917867967295361bec460bd25b2fa
SHA512 9bb02387b1654751c2da8113beeeafcdbd93179dc8c71741ac230d1482df822d4af36a6034f467f8440d49c846a08cfaaa6544f71acafa1a024df3d9f23c041f

memory/1704-50-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-49-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-47-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/2816-46-0x0000000003460000-0x00000000034F8000-memory.dmp

memory/2816-45-0x00000000013E0000-0x000000000145E000-memory.dmp

memory/1704-48-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-52-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-53-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-54-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-55-0x0000000000A50000-0x0000000000AE8000-memory.dmp

memory/1704-56-0x0000000000A50000-0x0000000000AE8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 21:27

Reported

2024-05-18 21:30

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

171s

Command Line

"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"

Signatures

Urelas

trojan urelas

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kyqig.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\05b4fa60d44e41ffdb41e3b3250692d0_NeikiAnalytics.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\kyqig.exe

"C:\Users\Admin\AppData\Local\Temp\kyqig.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "

Network

Country Destination Domain Proto
GB 142.250.187.234:443 tcp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 138.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
KR 218.54.31.226:11110 tcp
US 8.8.8.8:53 112.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
KR 1.234.83.146:11170 tcp
KR 218.54.31.165:11110 tcp
US 8.8.8.8:53 49.192.11.51.in-addr.arpa udp
JP 133.242.129.155:11110 tcp

Files

memory/2112-0-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2112-1-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2112-4-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2112-3-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2112-2-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2112-7-0x00000000009C0000-0x0000000000A3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\kyqig.exe

MD5 ba45811a6642edbaad65a6e77a803905
SHA1 d24d8b487894e9f94cdd65d6bca6abbcb2926054
SHA256 43a4af34f91dbf28c8f241410b1272be5355e40834131032e2cad4ed121e4d51
SHA512 d728c36f6835e72510540cb3407b106439f2a37ee43847d980a06806d01023e65df6e4e8cb56e06d440a3573c8c33f434438aa085c974213a46487f5b751c8a1

memory/2448-18-0x00000000003D0000-0x000000000044E000-memory.dmp

memory/2448-21-0x00000000003D0000-0x000000000044E000-memory.dmp

memory/2448-22-0x00000000003D0000-0x000000000044E000-memory.dmp

memory/2448-20-0x00000000003D0000-0x000000000044E000-memory.dmp

memory/2448-19-0x00000000003D0000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 0a00edf271dfcfd3ada74203a7fbb571
SHA1 02aac5b0230d88eba095254fd868b1d4cf9dc344
SHA256 cbb1bb9fdab23123efb1c24b2d160ea37dab019735d04231c3f155ca1552a308
SHA512 57cc7339adb33bcaa40b7e114ff7f48f62f24397fd2259d30f5bcae14e7258a9a6db9bbd0071e85054b44ac07b707001b3bfc27bfa929232697568235c82c101

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

MD5 b830dfe2bbc1e11a60060a89d7da3cdd
SHA1 decaaa67e8bbec531e49eaa8e66c40b55401bfe2
SHA256 a2cb0e108d52c282b2822ff28560b721a002a17089cc2a63f934af44433a1b1b
SHA512 d133f12ced847b961465153e30820dd5216672150a602ebd2a7760462fe5e6c86242a027ada66989b28a686c0795f0cc3b56629803f5e7e9763289aba25a2c84

memory/2112-29-0x00000000009C0000-0x0000000000A3E000-memory.dmp

memory/2448-30-0x00000000003D0000-0x000000000044E000-memory.dmp