Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
28/11/2023, 10:55
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20231127-en
General
-
Target
file.exe
-
Size
6.5MB
-
MD5
4c6d722386fc028e9813c9434c81840e
-
SHA1
b63b394e5bf0f832ad175186037c4a1eafedd55b
-
SHA256
a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
-
SHA512
730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
SSDEEP
196608:Qft/3UMOoqLlQL+fT3OMdzBiI5Kik1DjEBX1isu:QftP2pQ8DOMdzOxmX1iJ
Malware Config
Extracted
risepro
194.169.175.128
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ file.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ IEUpdater1.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion IEUpdater1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion IEUpdater1.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation file.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster1.lnk file.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OperaConnect1.lnk file.exe -
Executes dropped EXE 1 IoCs
pid Process 4300 IEUpdater1.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/5044-0-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-1-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-13-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-14-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-15-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-16-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-17-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/files/0x00080000000231e9-23.dat themida behavioral2/memory/5044-25-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-26-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/5044-98-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/files/0x00080000000231f6-111.dat themida behavioral2/files/0x00080000000231f6-112.dat themida behavioral2/memory/4300-115-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-116-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/5044-126-0x0000000000EF0000-0x0000000002123000-memory.dmp themida behavioral2/memory/4300-131-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-134-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-135-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-136-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-137-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-138-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/files/0x00080000000231e6-140.dat themida behavioral2/files/0x00060000000231ed-139.dat themida behavioral2/files/0x00080000000231e9-142.dat themida behavioral2/memory/4300-149-0x00000000001B0000-0x00000000013E3000-memory.dmp themida behavioral2/memory/4300-151-0x00000000001B0000-0x00000000013E3000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest1 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest1\\MaxLoonaFest1.exe" file.exe Set value (str) \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LegalHelper1 = "C:\\Users\\Admin\\AppData\\Local\\LegalHelper1\\LegalHelper1.exe" file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA file.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA IEUpdater1.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 19 ipinfo.io 20 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 5044 file.exe 4300 IEUpdater1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2156 5044 WerFault.exe 81 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe -
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1140 schtasks.exe 4004 schtasks.exe 1016 schtasks.exe 2592 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5044 file.exe 5044 file.exe 5044 file.exe 5044 file.exe 4300 IEUpdater1.exe 4300 IEUpdater1.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 5044 wrote to memory of 1140 5044 file.exe 84 PID 5044 wrote to memory of 1140 5044 file.exe 84 PID 5044 wrote to memory of 1140 5044 file.exe 84 PID 5044 wrote to memory of 4004 5044 file.exe 86 PID 5044 wrote to memory of 4004 5044 file.exe 86 PID 5044 wrote to memory of 4004 5044 file.exe 86 PID 5044 wrote to memory of 1016 5044 file.exe 88 PID 5044 wrote to memory of 1016 5044 file.exe 88 PID 5044 wrote to memory of 1016 5044 file.exe 88 PID 5044 wrote to memory of 2592 5044 file.exe 90 PID 5044 wrote to memory of 2592 5044 file.exe 90 PID 5044 wrote to memory of 2592 5044 file.exe 90 PID 5044 wrote to memory of 4300 5044 file.exe 92 PID 5044 wrote to memory of 4300 5044 file.exe 92 PID 5044 wrote to memory of 4300 5044 file.exe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Drops startup file
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:5044 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1140
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP1\OfficeTrackerNMP1.exe" /tn "OfficeTrackerNMP1 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:4004
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater1\IEUpdater1.exe" /tn "IEUpdater1 HR" /sc HOURLY /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:1016
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\IEUpdater1\IEUpdater1.exe" /tn "IEUpdater1 LG" /sc ONLOGON /rl HIGHEST2⤵
- Creates scheduled task(s)
PID:2592
-
-
C:\ProgramData\IEUpdater1\IEUpdater1.exe"C:\ProgramData\IEUpdater1\IEUpdater1.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4300
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 19682⤵
- Program crash
PID:2156
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5044 -ip 50441⤵PID:4148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
6.5MB
MD54c6d722386fc028e9813c9434c81840e
SHA1b63b394e5bf0f832ad175186037c4a1eafedd55b
SHA256a763709cacb29bab169bea58709364f138c92fa4fa86bae2bc2524cff4637f50
SHA512730edde4aeadff0b71fb399567abbf90e89a8093489ee0fc9923a14c40fd68bac9a46b74c112e8e779f1cf1ddef96240d1cb24b484a4b187c864560f1d579936
-
Filesize
3KB
MD505d260df5401598146c4d60d6744b30a
SHA176499c48ac7ed943eda964debf0d68f131a97ced
SHA256c1516c51aecb903c5e3b47f4d95256b7fd2ace9214821920f4c9a3870808ce02
SHA51270dff0f63c9bbfaaca76738891fa282862fc75869d07c4e73bbd54a11c425dd0aea17f30a228ddbffc2891a428626f824731c95327194fa01715f42a3f894c65
-
Filesize
13B
MD57db38b11ddf74374e4d3cc149b4fd801
SHA12858b0a38e7fe0ec664a92ec1cd88eb8c6ce1eac
SHA2563322fc96664e59a066ab5b0d956f297221b0ca572d1f926702d5cad63750e048
SHA5126bbcd476463417c2377f976d771a4b52645f3cbc8dc4dd84ed64620c1946d47d147afd72cce6cc48bc9eacaf4cadfa0343a6f2da6824b697d34be937434f49ce
-
Filesize
1KB
MD541691862134e1ebcee8fe061c9d181d0
SHA123493ee446f1aeeefb8bf357d67fd3c13697a623
SHA2569d69098b35548496d53958bb762fa4a8d4fe99f6f25ee34586d6682a7bddb1af
SHA512d51eb8a38adfc58ab60e5876f91a72a814df0976e0334a4cc177e3aebcbdd3114cd74b0126e2bf22c273f048778e08b5777fc466d935881d102cd8d016963463