5e6b2814360d1bd170c8150ff7700224f8953cd9a3a6255e5d371b8e7f861fb5

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10-05-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe
Size

111KB
MD5

1365b982a7270ebb753412d04c62fde0
SHA1

9deb111a73225512ee9d7ab4c11c1e3dff961575
SHA256

5e6b2814360d1bd170c8150ff7700224f8953cd9a3a6255e5d371b8e7f861fb5
SHA512

d08e0745bee1aab39f2144f2c7cd04d8fc91b3879d7f87443a4fa3b535d5999c3408f50263b059e1d17ba920f2456bfb88adfba24ae335e6c1df95deedb7a6a8
SSDEEP

1536:1P1K6eYrPOxOfDwTvD+bFWU+L1i4QmOexXxBxmxZx44D4dMz4n4N4t4R4R7ILiJy:p1K6Rgp4D4dMz4n4N4t4R4aEIIIIza

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	keoum.exe

Executes dropped EXE 1 IoCs

pid	Process
2736	keoum.exe

Loads dropped DLL 2 IoCs

pid	Process
1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe
1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\keoum = "C:\\Users\\Admin\\keoum.exe"	keoum.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe
2736	keoum.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe
2736	keoum.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2736	1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe	28
PID 1312 wrote to memory of 2736	1312	1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe	28
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27
PID 2736 wrote to memory of 1312	2736	keoum.exe	27

C:\Users\Admin\AppData\Local\Temp\1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1365b982a7270ebb753412d04c62fde0_NeikiAnalytics.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\keoum.exe
  "C:\Users\Admin\keoum.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\keoum.exe

Filesize
111KB

MD5
7a0a555c2d8587964c53a60527080dfd

SHA1
a12519b0ef2cd316f1f08cc774420de9c2baa071

SHA256
5b47401308da92863868006275c5f8a6df728c3b9cc3af7e500ee202cfa4e367

SHA512
6102aacb401f7b1b0d528aa43e2a116b256a9e06f4b29136fee4c75e5b55b013719c58071974c7fdd7a5b2c398532c1b47f82241c43eebb4bfb5ff849986bdf5

Download Submit