Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
11/12/2023, 07:10
Static task
static1
Behavioral task
behavioral1
Sample
XO0UY05.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
XO0UY05.exe
Resource
win10v2004-20231130-en
General
-
Target
XO0UY05.exe
-
Size
789KB
-
MD5
b62cbe2a191fee2243c8c28150ec777f
-
SHA1
3992584fb9c29fc84f41f35ebca4bec27014c708
-
SHA256
cdd43a1c420208cb24f8d8f45647107984ad55474db55fe0eee4a70c1deee718
-
SHA512
41b3062daf23f531ac69038086c7678157da5a8f3a10db410ea9c177e8c586c36a28e55a889ce7af829f8ac171190bd4f3f0229a2f3f45e6608ff4da7ea256c8
-
SSDEEP
12288:NMrAy90YN8degBdF/RIqaSVJ3zQFo/DiK+BZhzSLU2qQCNQmhZNysBG:pyF8dTBd9baS7QW7lkzSFuCyyss
Malware Config
Extracted
risepro
193.233.132.51
Extracted
smokeloader
2022
http://81.19.131.34/fks/index.php
Extracted
redline
LiveTraffic
77.105.132.87:6731
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/1728-95-0x00000000007D0000-0x000000000080C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 1VN46DW0.exe -
Executes dropped EXE 3 IoCs
pid Process 1432 1VN46DW0.exe 2652 4uZ060Ph.exe 1728 B844.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1VN46DW0.exe Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1VN46DW0.exe Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1VN46DW0.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" XO0UY05.exe Set value (str) \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe" 1VN46DW0.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 10 ipinfo.io 39 ipinfo.io -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 1VN46DW0.exe File opened for modification C:\Windows\System32\GroupPolicy 1VN46DW0.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 1VN46DW0.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 1VN46DW0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4244 1432 WerFault.exe 87 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4uZ060Ph.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4uZ060Ph.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 4uZ060Ph.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 1VN46DW0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 1VN46DW0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4932 schtasks.exe 1012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1432 1VN46DW0.exe 1432 1VN46DW0.exe 2652 4uZ060Ph.exe 2652 4uZ060Ph.exe 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found 3120 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2652 4uZ060Ph.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found Token: SeShutdownPrivilege 3120 Process not Found Token: SeCreatePagefilePrivilege 3120 Process not Found -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3120 Process not Found 3120 Process not Found -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 220 wrote to memory of 1432 220 XO0UY05.exe 87 PID 220 wrote to memory of 1432 220 XO0UY05.exe 87 PID 220 wrote to memory of 1432 220 XO0UY05.exe 87 PID 1432 wrote to memory of 4932 1432 1VN46DW0.exe 96 PID 1432 wrote to memory of 4932 1432 1VN46DW0.exe 96 PID 1432 wrote to memory of 4932 1432 1VN46DW0.exe 96 PID 1432 wrote to memory of 1012 1432 1VN46DW0.exe 94 PID 1432 wrote to memory of 1012 1432 1VN46DW0.exe 94 PID 1432 wrote to memory of 1012 1432 1VN46DW0.exe 94 PID 220 wrote to memory of 2652 220 XO0UY05.exe 107 PID 220 wrote to memory of 2652 220 XO0UY05.exe 107 PID 220 wrote to memory of 2652 220 XO0UY05.exe 107 PID 3120 wrote to memory of 1728 3120 Process not Found 112 PID 3120 wrote to memory of 1728 3120 Process not Found 112 PID 3120 wrote to memory of 1728 3120 Process not Found 112 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1VN46DW0.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-596315103-1488671723-776734015-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 1VN46DW0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"C:\Users\Admin\AppData\Local\Temp\XO0UY05.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\1VN46DW0.exe2⤵
- Drops startup file
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1432 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:1012
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
PID:4932
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 17803⤵
- Program crash
PID:4244
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\4uZ060Ph.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2652
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵PID:2648
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1432 -ip 14321⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\B844.exeC:\Users\Admin\AppData\Local\Temp\B844.exe1⤵
- Executes dropped EXE
PID:1728
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
401KB
MD5f88edad62a7789c2c5d8047133da5fa7
SHA141b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9
SHA256eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc
SHA512e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60
-
Filesize
57KB
MD599ce0ae115832abc40e2e57599ef78a0
SHA1fd842bd20905ab8a03b5ccb5160dd5103b6aec55
SHA25610b22af94e1e8a1892ea1fc7cc30cec8d75804adce908779f5f6c3ed8324fcb8
SHA512cc5a374e0034db4f9500e103cf6413b434d6de63871f4afca61d2f0e01050a565c8ff78f1c6cccc486ef9b66e1d8f8548e1e5ab11d5c6bbe046cc9347e64a7ef
-
Filesize
1.6MB
MD59b10f741fad1d0dd09b89dc6638833ae
SHA11f0ffa6f136cd5433f202c9c79ce5956796b4151
SHA2561b69a1dd5961241b926605f0a015fa17149c3b2759fb077a30a22d4ddcc273f6
SHA5124c83e0b137338a8685481623e592d10039ff15032f059b1e200f8e6a7810978e2eb5047604d12c31923761a0e46146c01fcabc871b8748b61a546bd1a32891f7
-
Filesize
37KB
MD58837a89b82d0d3b0259cc9f47b2e599b
SHA151dd86a6a717a8f1470fff7a65f96c983aa71f09
SHA256ad5c98936429f847e6808a4efdb80faf452a5c5c31d91f9f7de2560e51478701
SHA5124a6c660c78bc99916d68978243f1140203a5805a3a7ae7a1749c609bd5aaf06b9ac253c09c0a206acdb832b45bc1ab700a5beb98024131779a45c70b53c7bc71