Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

9e711f696e...3a.exe

windows7-x64

10

9e711f696e...3a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/06/2024, 01:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe

  • Size

    4.2MB

  • MD5

    39483496950b1a7bbd28617e6006efeb

  • SHA1

    d922c857874fd52067791397128e62267cd0cd56

  • SHA256

    9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a

  • SHA512

    6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2

  • SSDEEP

    98304:/j+Am4UGrNsnH/vmbOPRYc43/8ToqX2yV4DyWQOEK5AUvpA3IktHhjWi3Ec:JUGrNsnHGb6T43/8Mu2rTkKiUheIejW4

Score
10/10
privateloaderriseproevasionloaderpersistencestealerthemidatrojan

Malware Config

Extracted

Family

risepro

C2

5.42.66.10

191.101.209.39

Signatures

  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • RisePro

    RisePro stealer is an infostealer distributed by PrivateLoader.

    stealerrisepro
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Themida packer 13 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe
    "C:\Users\Admin\AppData\Local\Temp\9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Drops startup file
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4404
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:3284
    • C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:4352
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3856

    Network

    • flag-us
      DNS
      164.189.21.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      164.189.21.2.in-addr.arpa
      IN PTR
      Response
      164.189.21.2.in-addr.arpa
      IN PTR
      a2-21-189-164deploystaticakamaitechnologiescom
    • flag-us
      DNS
      10.66.42.5.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.66.42.5.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      86.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      86.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      92.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      92.12.20.2.in-addr.arpa
      IN PTR
      Response
      92.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-92deploystaticakamaitechnologiescom
    • flag-us
      DNS
      71.31.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      71.31.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.142.211.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.142.211.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      21.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      21.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.211.185.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.211.185.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      240.221.184.93.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      240.221.184.93.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN A
      Response
      chromewebstore.googleapis.com
      IN A
      142.250.178.10
      chromewebstore.googleapis.com
      IN A
      172.217.16.234
      chromewebstore.googleapis.com
      IN A
      142.250.200.42
      chromewebstore.googleapis.com
      IN A
      216.58.212.202
      chromewebstore.googleapis.com
      IN A
      142.250.187.234
      chromewebstore.googleapis.com
      IN A
      216.58.204.74
      chromewebstore.googleapis.com
      IN A
      142.250.179.234
      chromewebstore.googleapis.com
      IN A
      216.58.201.106
      chromewebstore.googleapis.com
      IN A
      216.58.212.234
      chromewebstore.googleapis.com
      IN A
      172.217.169.42
      chromewebstore.googleapis.com
      IN A
      142.250.200.10
      chromewebstore.googleapis.com
      IN A
      172.217.169.74
      chromewebstore.googleapis.com
      IN A
      142.250.180.10
      chromewebstore.googleapis.com
      IN A
      216.58.213.10
      chromewebstore.googleapis.com
      IN A
      142.250.187.202
    • flag-us
      DNS
      chromewebstore.googleapis.com
      Remote address:
      8.8.8.8:53
      Request
      chromewebstore.googleapis.com
      IN Unknown
      Response
    • flag-us
      DNS
      10.178.250.142.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      10.178.250.142.in-addr.arpa
      IN PTR
      Response
      10.178.250.142.in-addr.arpa
      IN PTR
      lhr48s27-in-f101e100net
    • flag-us
      DNS
      208.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      208.143.182.52.in-addr.arpa
      IN PTR
      Response
    • 96.16.110.114:80
      260 B
       5
    • 5.42.66.10:50505
      9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a.exe
      542 B
       414 B
       11
      6
    • 13.107.253.64:443
      46 B
       40 B
       1
      1
    • 142.250.178.10:443
      chromewebstore.googleapis.com
      tls
      1.9kB
       7.7kB
       15
      16
    • 8.8.8.8:53
      164.189.21.2.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      164.189.21.2.in-addr.arpa

    • 8.8.8.8:53
      10.66.42.5.in-addr.arpa
      dns
      69 B
       129 B
       1
      1

      DNS Request

      10.66.42.5.in-addr.arpa

    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      144 B
       158 B
       2
      1

      DNS Request

      209.205.72.20.in-addr.arpa

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      86.23.85.13.in-addr.arpa
      dns
      70 B
       144 B
       1
      1

      DNS Request

      86.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      92.12.20.2.in-addr.arpa
      dns
      69 B
       131 B
       1
      1

      DNS Request

      92.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      71.31.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      71.31.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      183.142.211.20.in-addr.arpa
      dns
      73 B
       159 B
       1
      1

      DNS Request

      183.142.211.20.in-addr.arpa

    • 8.8.8.8:53
      21.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      21.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      133.211.185.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      133.211.185.52.in-addr.arpa

    • 8.8.8.8:53
      240.221.184.93.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      240.221.184.93.in-addr.arpa

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       315 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

      DNS Response

      142.250.178.10
      172.217.16.234
      142.250.200.42
      216.58.212.202
      142.250.187.234
      216.58.204.74
      142.250.179.234
      216.58.201.106
      216.58.212.234
      172.217.169.42
      142.250.200.10
      172.217.169.74
      142.250.180.10
      216.58.213.10
      142.250.187.202

    • 8.8.8.8:53
      chromewebstore.googleapis.com
      dns
      75 B
       132 B
       1
      1

      DNS Request

      chromewebstore.googleapis.com

    • 8.8.8.8:53
      10.178.250.142.in-addr.arpa
      dns
      73 B
       112 B
       1
      1

      DNS Request

      10.178.250.142.in-addr.arpa

    • 8.8.8.8:53
      208.143.182.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      208.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\WinTrackerSP\WinTrackerSP.exe
      Filesize

      4.2MB

      MD5

      39483496950b1a7bbd28617e6006efeb

      SHA1

      d922c857874fd52067791397128e62267cd0cd56

      SHA256

      9e711f696ed3c36e8333a62b6cb8184a715d3a9ce2ff61b60bcd547ce550bf3a

      SHA512

      6443f9a2956b3600aae04c862cf2e070435fe44d6df853cfaa213d097322bcbaffb83af7451d035bd674d72670ff377c46572822f68f61bac78d7f49467df8e2

      Download Submit

    • memory/4404-12-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-7-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-3-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-4-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-5-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-6-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-0-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-8-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-9-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-11-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-2-0x0000000076F30000-0x0000000076F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4404-10-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-1-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-14-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-17-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-19-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-13-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-23-0x0000000076F30000-0x0000000076F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4404-24-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-26-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-27-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-29-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    • memory/4404-28-0x0000000000740000-0x00000000012FA000-memory.dmp

      Filesize

      11.7MB

      Download

    • memory/4404-30-0x0000000076F10000-0x0000000077000000-memory.dmp

      Filesize

      960KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.