risepro | 0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe = "0"	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3660 powershell.exe
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

Drops startup file 6 IoCs

Processes:

msbuild.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0RlwvaayMn6acLzOFfgFuIG.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7BBGCjWlYhPAYeoGVf3foRf2.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mcGEsVlWHKP16ikno1N2aOi1.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QJXA6QJasQnesJevqCfz3joh.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XbLXst7qfznCvDTwgOkcV5xF.bat	msbuild.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lg2FkZg5KwXUsg7PQruvyqQ7.bat	msbuild.exe

Executes dropped EXE 7 IoCs

Processes:

fWKqfcIbnGuD43QgMWDuVnDJ.exenpyEa8mQ9AsptWqKRHDI7WE6.exeRGRaRI88iZdoQjoIxjbcXrNv.exepEoJJMEnxqAwbfR3eM4ehPPc.exea6wxsM5TYALlqzIee9sitzhP.exeInstall.exeInstall.exe

pid	process
3668	fWKqfcIbnGuD43QgMWDuVnDJ.exe
5024	npyEa8mQ9AsptWqKRHDI7WE6.exe
3612	RGRaRI88iZdoQjoIxjbcXrNv.exe
3352	pEoJJMEnxqAwbfR3eM4ehPPc.exe
4496	a6wxsM5TYALlqzIee9sitzhP.exe
4080	Install.exe
3504	Install.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe = "0"	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service
T1102

Processes:

flow ioc

50 pastebin.com

flow	ioc
50	pastebin.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	pid	process	target process
PID 1588 set thread context of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeRGRaRI88iZdoQjoIxjbcXrNv.exe

pid	process
3660	powershell.exe
3660	powershell.exe
3612	RGRaRI88iZdoQjoIxjbcXrNv.exe
3612	RGRaRI88iZdoQjoIxjbcXrNv.exe
3612	RGRaRI88iZdoQjoIxjbcXrNv.exe
3612	RGRaRI88iZdoQjoIxjbcXrNv.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exemsbuild.exe

description pid process

Token: SeDebugPrivilege 3660 powershell.exe
Token: SeDebugPrivilege 4028 msbuild.exe

description	pid	process
Token: SeDebugPrivilege	3660	powershell.exe
Token: SeDebugPrivilege	4028	msbuild.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exemsbuild.exepEoJJMEnxqAwbfR3eM4ehPPc.exea6wxsM5TYALlqzIee9sitzhP.exe

description	pid	process	target process
PID 1588 wrote to memory of 3660	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	powershell.exe
PID 1588 wrote to memory of 3660	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	powershell.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 4028	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 2932	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 2932	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 1588 wrote to memory of 2932	1588	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe	msbuild.exe
PID 4028 wrote to memory of 3352	4028	msbuild.exe	pEoJJMEnxqAwbfR3eM4ehPPc.exe
PID 4028 wrote to memory of 3352	4028	msbuild.exe	pEoJJMEnxqAwbfR3eM4ehPPc.exe
PID 4028 wrote to memory of 3352	4028	msbuild.exe	pEoJJMEnxqAwbfR3eM4ehPPc.exe
PID 4028 wrote to memory of 4496	4028	msbuild.exe	a6wxsM5TYALlqzIee9sitzhP.exe
PID 4028 wrote to memory of 4496	4028	msbuild.exe	a6wxsM5TYALlqzIee9sitzhP.exe
PID 4028 wrote to memory of 4496	4028	msbuild.exe	a6wxsM5TYALlqzIee9sitzhP.exe
PID 4028 wrote to memory of 3668	4028	msbuild.exe	fWKqfcIbnGuD43QgMWDuVnDJ.exe
PID 4028 wrote to memory of 3668	4028	msbuild.exe	fWKqfcIbnGuD43QgMWDuVnDJ.exe
PID 4028 wrote to memory of 5024	4028	msbuild.exe	npyEa8mQ9AsptWqKRHDI7WE6.exe
PID 4028 wrote to memory of 5024	4028	msbuild.exe	npyEa8mQ9AsptWqKRHDI7WE6.exe
PID 4028 wrote to memory of 5024	4028	msbuild.exe	npyEa8mQ9AsptWqKRHDI7WE6.exe
PID 4028 wrote to memory of 3612	4028	msbuild.exe	RGRaRI88iZdoQjoIxjbcXrNv.exe
PID 4028 wrote to memory of 3612	4028	msbuild.exe	RGRaRI88iZdoQjoIxjbcXrNv.exe
PID 4028 wrote to memory of 3612	4028	msbuild.exe	RGRaRI88iZdoQjoIxjbcXrNv.exe
PID 3352 wrote to memory of 4080	3352	pEoJJMEnxqAwbfR3eM4ehPPc.exe	Install.exe
PID 3352 wrote to memory of 4080	3352	pEoJJMEnxqAwbfR3eM4ehPPc.exe	Install.exe
PID 3352 wrote to memory of 4080	3352	pEoJJMEnxqAwbfR3eM4ehPPc.exe	Install.exe
PID 4496 wrote to memory of 3504	4496	a6wxsM5TYALlqzIee9sitzhP.exe	Install.exe
PID 4496 wrote to memory of 3504	4496	a6wxsM5TYALlqzIee9sitzhP.exe	Install.exe
PID 4496 wrote to memory of 3504	4496	a6wxsM5TYALlqzIee9sitzhP.exe	Install.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

Processes:

0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0702315c2af23584f8ef1febc660651c052eb448819d4c7432e51148ea8db5a5_NeikiAnalytics.exe" -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
2⤵
- Drops startup file
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4028

C:\Users\Admin\Pictures\fWKqfcIbnGuD43QgMWDuVnDJ.exe
"C:\Users\Admin\Pictures\fWKqfcIbnGuD43QgMWDuVnDJ.exe"
3⤵
- Executes dropped EXE
PID:3668

C:\Users\Admin\Pictures\RGRaRI88iZdoQjoIxjbcXrNv.exe
"C:\Users\Admin\Pictures\RGRaRI88iZdoQjoIxjbcXrNv.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Users\Admin\Pictures\pEoJJMEnxqAwbfR3eM4ehPPc.exe
"C:\Users\Admin\Pictures\pEoJJMEnxqAwbfR3eM4ehPPc.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\7zS5CD7.tmp\Install.exe
.\Install.exe /IjiHdidVaJ "385118" /S
4⤵
- Executes dropped EXE
PID:4080

C:\Users\Admin\Pictures\a6wxsM5TYALlqzIee9sitzhP.exe
"C:\Users\Admin\Pictures\a6wxsM5TYALlqzIee9sitzhP.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4496

C:\Users\Admin\AppData\Local\Temp\7zS5CD8.tmp\Install.exe
.\Install.exe /IjiHdidVaJ "385118" /S
4⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\Pictures\npyEa8mQ9AsptWqKRHDI7WE6.exe
"C:\Users\Admin\Pictures\npyEa8mQ9AsptWqKRHDI7WE6.exe" /s
3⤵
- Executes dropped EXE
PID:5024

C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2756 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3612

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service