Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
25/06/2024, 01:48 UTC
Behavioral task
behavioral1
Sample
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe
Resource
win10v2004-20240226-en
General
-
Target
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe
-
Size
4.2MB
-
MD5
39483496950b1a7bbd28617e6006efeb
-
SHA1
d922c857874fd52067791397128e62267cd0cd56
-
SHA256
9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a
-
SHA512
6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2
-
SSDEEP
98304:/j+Am4UGrNsnH/vmbOPRYc43/8ToqX2yV4DyWQOEK5AUvpA3IktHhjWi3Ec:JUGrNsnHGb6T43/8Mu2rTkKiUheIejW4
Malware Config
Extracted
risepro
5.42.66.10
191.101.209.39
Signatures
-
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
resource yara_rule behavioral2/memory/4404-0-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-1-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-7-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-9-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-11-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-10-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-12-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-13-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-14-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-17-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/memory/4404-19-0x0000000000740000-0x00000000012FA000-memory.dmp themida behavioral2/files/0x0007000000023264-22.dat themida behavioral2/memory/4404-28-0x0000000000740000-0x00000000012FA000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV5 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV5\\ExtreamFanV5.exe" 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3284 schtasks.exe 4352 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4404 wrote to memory of 3284 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 92 PID 4404 wrote to memory of 3284 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 92 PID 4404 wrote to memory of 3284 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 92 PID 4404 wrote to memory of 4352 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 94 PID 4404 wrote to memory of 4352 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 94 PID 4404 wrote to memory of 4352 4404 9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe"C:\Users\Admin\AppData\Local\Temp\9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:3284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST2⤵
- Scheduled Task/Job: Scheduled Task
PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:3856
Network
-
Remote address:8.8.8.8:53Request164.189.21.2.in-addr.arpaIN PTRResponse164.189.21.2.in-addr.arpaIN PTRa2-21-189-164deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request10.66.42.5.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request209.205.72.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request86.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request15.164.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request92.12.20.2.in-addr.arpaIN PTRResponse92.12.20.2.in-addr.arpaIN PTRa2-20-12-92deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request71.31.126.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request183.142.211.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN AResponsechromewebstore.googleapis.comIN A142.250.178.10chromewebstore.googleapis.comIN A172.217.16.234chromewebstore.googleapis.comIN A142.250.200.42chromewebstore.googleapis.comIN A216.58.212.202chromewebstore.googleapis.comIN A142.250.187.234chromewebstore.googleapis.comIN A216.58.204.74chromewebstore.googleapis.comIN A142.250.179.234chromewebstore.googleapis.comIN A216.58.201.106chromewebstore.googleapis.comIN A216.58.212.234chromewebstore.googleapis.comIN A172.217.169.42chromewebstore.googleapis.comIN A142.250.200.10chromewebstore.googleapis.comIN A172.217.169.74chromewebstore.googleapis.comIN A142.250.180.10chromewebstore.googleapis.comIN A216.58.213.10chromewebstore.googleapis.comIN A142.250.187.202
-
Remote address:8.8.8.8:53Requestchromewebstore.googleapis.comIN UnknownResponse
-
Remote address:8.8.8.8:53Request10.178.250.142.in-addr.arpaIN PTRResponse10.178.250.142.in-addr.arpaIN PTRlhr48s27-in-f101e100net
-
Remote address:8.8.8.8:53Request208.143.182.52.in-addr.arpaIN PTRResponse
-
260 B 5
-
542 B 414 B 11 6
-
46 B 40 B 1 1
-
1.9kB 7.7kB 15 16
-
71 B 135 B 1 1
DNS Request
164.189.21.2.in-addr.arpa
-
69 B 129 B 1 1
DNS Request
10.66.42.5.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
209.205.72.20.in-addr.arpa
DNS Request
209.205.72.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
86.23.85.13.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
15.164.165.52.in-addr.arpa
-
69 B 131 B 1 1
DNS Request
92.12.20.2.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
71.31.126.40.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
183.142.211.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
75 B 315 B 1 1
DNS Request
chromewebstore.googleapis.com
DNS Response
142.250.178.10172.217.16.234142.250.200.42216.58.212.202142.250.187.234216.58.204.74142.250.179.234216.58.201.106216.58.212.234172.217.169.42142.250.200.10172.217.169.74142.250.180.10216.58.213.10142.250.187.202
-
75 B 132 B 1 1
DNS Request
chromewebstore.googleapis.com
-
73 B 112 B 1 1
DNS Request
10.178.250.142.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
208.143.182.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.2MB
MD539483496950b1a7bbd28617e6006efeb
SHA1d922c857874fd52067791397128e62267cd0cd56
SHA2569e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a
SHA5126443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2