Overview

overview

10

Static

static

1

0702315c2a...cs.exe

windows7-x64

10

0702315c2a...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    156s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-05-2024 05:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

  • Size

    405KB

  • MD5

    1a58288224c79dc2044ca29e638ef5c1

  • SHA1

    5fd106948f289eff5c93d024af2099ea1be433eb

  • SHA256

    0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5

  • SHA512

    f634c69fb0173ba905e234f84963d39c45dc433be2190224da8cb850eeb86b1de7fc128ece5f1f1bec24436a4b0f74bd8021024636767af869b10bd20cb2183c

  • SSDEEP

    12288:6fr32XSfBAlkQZZMx6eIuKRPDEO22Ww0XpQ:6fr32ilYZy6H9Ee2XpQ

Score
10/10
riseproevasionexecutionstealertrojan

Malware Config

Signatures

  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1588
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3660
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      2⤵
      • Drops startup file
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4028
      • C:\Users\Admin\Pictures\fWKqfcIbnGuD43QgMWDuVnDJ.exe
        "C:\Users\Admin\Pictures\fWKqfcIbnGuD43QgMWDuVnDJ.exe"
        3⤵
        • Executes dropped EXE
        PID:3668
      • C:\Users\Admin\Pictures\RGRaRI88iZdoQjoIxjbcXrNv.exe
        "C:\Users\Admin\Pictures\RGRaRI88iZdoQjoIxjbcXrNv.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3612
      • C:\Users\Admin\Pictures\pEoJJMEnxqAwbfR3eM4ehPPc.exe
        "C:\Users\Admin\Pictures\pEoJJMEnxqAwbfR3eM4ehPPc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3352
        • C:\Users\Admin\AppData\Local\Temp\7zS5CD7.tmp\Install.exe
          .\Install.exe /IjiHdidVaJ "385118" /S
          4⤵
          • Executes dropped EXE
          PID:4080
      • C:\Users\Admin\Pictures\a6wxsM5TYALlqzIee9sitzhP.exe
        "C:\Users\Admin\Pictures\a6wxsM5TYALlqzIee9sitzhP.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:4496
        • C:\Users\Admin\AppData\Local\Temp\7zS5CD8.tmp\Install.exe
          .\Install.exe /IjiHdidVaJ "385118" /S
          4⤵
          • Executes dropped EXE
          PID:3504
      • C:\Users\Admin\Pictures\npyEa8mQ9AsptWqKRHDI7WE6.exe
        "C:\Users\Admin\Pictures\npyEa8mQ9AsptWqKRHDI7WE6.exe" /s
        3⤵
        • Executes dropped EXE
        PID:5024
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
      2⤵
        PID:2932
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3612

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\7zS5CD7.tmp\Install.exe
        Filesize

        6.4MB

        MD5

        220a02a940078153b4063f42f206087b

        SHA1

        02fc647d857573a253a1ab796d162244eb179315

        SHA256

        7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

        SHA512

        42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x00ufdpz.kyc.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\Pictures\RGRaRI88iZdoQjoIxjbcXrNv.exe
        Filesize

        7.4MB

        MD5

        4fadc908554eeb6532386f7d1af217e4

        SHA1

        0c50cec9bc1ade05467b6ac20dab7f0bd630de30

        SHA256

        a7b9148fce1c28eeda96ee8807b8eb74165408eaa0aa1b7eb18e180867c82eaa

        SHA512

        fa938bb198367724051ab64e1fa94efdcb2102506014f73772113c9f96d17fc07d73b26370e7c992ccee6da7eba395c04f7ac67186c705827d05084e8781fe5f

        Download Submit

      • C:\Users\Admin\Pictures\a6wxsM5TYALlqzIee9sitzhP.exe
        Filesize

        6.4MB

        MD5

        4ff74a20573995c6dfbe4e01eb1faed3

        SHA1

        ba59a53b9aa27173518530129ffb2e0468a3b821

        SHA256

        f51aa41d18d4c94509fbcb7cf83c0cf76b1b6bc8946ec5abb07f7d5360e58626

        SHA512

        e2b3b750850f4168071844ae6e0fba2e19a90a5499ffafe7e9689e0a12c43d4f92df38b40de39696a9160583e3d1f128db9a5c8e5ef79272d223cf0e0b2192bf

        Download Submit

      • C:\Users\Admin\Pictures\fWKqfcIbnGuD43QgMWDuVnDJ.exe
        Filesize

        2.6MB

        MD5

        3d233051324a244029b80824692b2ad4

        SHA1

        a053ebdacbd5db447c35df6c4c1686920593ef96

        SHA256

        fbd467ce72bca00eea3aaa6f32abc8aca1a734030d082458e21e1fe91e6a8d84

        SHA512

        7f19c6400ac46556a9441844242b1acb0b2f11a47f5d51f6d092406a8c759a6d78c578bb5b15035e7cd1cdb3035acf0db884708b0da1a83eb652a50a68e3a949

        Download Submit

      • C:\Users\Admin\Pictures\iaLO1oHQk1jDx6vg1QCnmmPY.exe
        Filesize

        7KB

        MD5

        77f762f953163d7639dff697104e1470

        SHA1

        ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

        SHA256

        d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

        SHA512

        d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

        Download Submit

      • C:\Users\Admin\Pictures\npyEa8mQ9AsptWqKRHDI7WE6.exe
        Filesize

        1.5MB

        MD5

        cd4acedefa9ab5c7dccac667f91cef13

        SHA1

        bff5ce910f75aeae37583a63828a00ae5f02c4e7

        SHA256

        dd0e8944471f44180dd44807d817e0b8a1c931fc67d48278cdb7354d98567e7c

        SHA512

        06fae66da503eb1b9b4fbe63a5bb98c519a43999060029c35fe289e60b1cb126a6278c67ce90f02e05b893fcaea6d54f9deb65bc6da82561487a7754f50c93d1

        Download Submit

      • memory/1588-3-0x00000176ECD90000-0x00000176ECDEC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/1588-4-0x00007FFBEE9A3000-0x00007FFBEE9A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1588-0-0x00007FFBEE9A3000-0x00007FFBEE9A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1588-2-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1588-1-0x00000176EB060000-0x00000176EB070000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1588-25-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1588-20-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3504-113-0x0000000000A10000-0x000000000107E000-memory.dmp

        Filesize

        6.4MB

        Download

      • memory/3612-114-0x00000000039C0000-0x00000000039C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-115-0x00000000039D0000-0x00000000039D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-121-0x0000000000C20000-0x00000000019C0000-memory.dmp

        Filesize

        13.6MB

        Download

      • memory/3612-120-0x0000000003A40000-0x0000000003A41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-116-0x0000000003A00000-0x0000000003A01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-117-0x0000000003A10000-0x0000000003A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-118-0x0000000003A20000-0x0000000003A21000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3612-119-0x0000000003A30000-0x0000000003A31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3660-17-0x000001959E8A0000-0x000001959E8C2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3660-5-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3660-12-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3660-16-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3660-24-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3660-18-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3660-21-0x00007FFBEE9A0000-0x00007FFBEF461000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4028-19-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4080-112-0x0000000000C50000-0x00000000012BE000-memory.dmp

        Filesize

        6.4MB

        Download