b2bc73e8be2ce4c4fa2ece4694f8d707a8529572d98948dd0a79dc882a028717

Analysis

max time kernel
131s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30-06-2024 21:08

Target

Win32.RisePro.b/Proxy/RisePro_Proxy.exe
Size

568KB
MD5

fe8d041d2fbdedd9627f1a55976bdc61
SHA1

fe88fc39efb0e2b29bfc2730bf8a4bf3e71657f2
SHA256

af26b57034cbd6ee66cedba4abe6d247da5ae5e6beb74314ebdc80f1d1299f7c
SHA512

8df251518c17434b04895589d5c78780f6ca7a97d10730a4240d1fc82bc64ad1869288c7dd395d29fd0159ad082d7dcf98198d17a573c79e4880d7a7f7cdfa9a
SSDEEP

12288:aSxtHZFviRZe7Zg5KlPvNvw4iVfUxpDGzwIolidy/j:fxrFviRZe7Zg5KlPvNvMV8x+voliu

Score

8^/10

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

Disable or Modify System Firewall

Processes:

netsh.exenetsh.exe

pid	Process
4336	netsh.exe
1800	netsh.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

Processes:

netsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

RisePro_Proxy.execmd.execmd.exe

description	pid	Process	procid_target
PID 4868 wrote to memory of 2924	4868	RisePro_Proxy.exe	74
PID 4868 wrote to memory of 2924	4868	RisePro_Proxy.exe	74
PID 4868 wrote to memory of 2924	4868	RisePro_Proxy.exe	74
PID 4868 wrote to memory of 2204	4868	RisePro_Proxy.exe	75
PID 4868 wrote to memory of 2204	4868	RisePro_Proxy.exe	75
PID 4868 wrote to memory of 2204	4868	RisePro_Proxy.exe	75
PID 2204 wrote to memory of 4336	2204	cmd.exe	76
PID 2204 wrote to memory of 4336	2204	cmd.exe	76
PID 2204 wrote to memory of 4336	2204	cmd.exe	76
PID 4868 wrote to memory of 2700	4868	RisePro_Proxy.exe	77
PID 4868 wrote to memory of 2700	4868	RisePro_Proxy.exe	77
PID 4868 wrote to memory of 2700	4868	RisePro_Proxy.exe	77
PID 2700 wrote to memory of 1800	2700	cmd.exe	78
PID 2700 wrote to memory of 1800	2700	cmd.exe	78
PID 2700 wrote to memory of 1800	2700	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\Win32.RisePro.b\Proxy\RisePro_Proxy.exe
"C:\Users\Admin\AppData\Local\Temp\Win32.RisePro.b\Proxy\RisePro_Proxy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cls
  2⤵
  PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall show rule name="RisePro External - 50500" > nul
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall show rule name="RisePro External - 50500"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="RisePro External - 50500" dir=in action=allow protocol=TCP localport=50500
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1800