Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
11/07/2024, 05:43
240711-gej4lstgrf 1006/09/2021, 14:13
210906-rjpvrsedbm 1008/07/2021, 11:08
210708-4gztl3mwl6 1008/07/2021, 08:02
210708-klfb4qeda6 1007/07/2021, 09:39
210707-nem57xyvf2 1006/07/2021, 17:51
210706-7pcrmjy3fa 1006/07/2021, 13:45
210706-eybelwcq86 10Analysis
-
max time kernel
13s -
max time network
335s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
07/07/2021, 09:39
Errors
Reason
Remote task has failed: Machine shutdown
General
-
Target
setup_x86_x64_install - копия (16).exe
-
Size
3.2MB
-
MD5
3ae1c212119919e5fce71247286f8e0e
-
SHA1
97c1890ab73c539056f95eafede319df774e9d38
-
SHA256
30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
-
SHA512
5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558
Score
10/10
Malware Config
Extracted
Family
vidar
Version
39.4
Botnet
706
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
706
Extracted
Family
redline
Botnet
ServAni
C2
87.251.71.195:82
Extracted
Family
smokeloader
Version
2020
C2
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
rc4.i32
rc4.i32
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 14 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 34 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (16).exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (16).exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSCC611735\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_1.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_1.exearnatic_1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 9646⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_2.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_2.exearnatic_2.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_3.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_3.exearnatic_3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_4.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_6.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_6.exearnatic_6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\8rHAHPg0RZSho2Wfl39tMlwd.exe"C:\Users\Admin\Documents\8rHAHPg0RZSho2Wfl39tMlwd.exe"6⤵
-
C:\Users\Admin\Documents\8rHAHPg0RZSho2Wfl39tMlwd.exeC:\Users\Admin\Documents\8rHAHPg0RZSho2Wfl39tMlwd.exe7⤵
-
-
-
C:\Users\Admin\Documents\ANwcoAjqlvyd0C_rNknMgzAz.exe"C:\Users\Admin\Documents\ANwcoAjqlvyd0C_rNknMgzAz.exe"6⤵
-
C:\Users\Admin\Documents\ANwcoAjqlvyd0C_rNknMgzAz.exeC:\Users\Admin\Documents\ANwcoAjqlvyd0C_rNknMgzAz.exe7⤵
-
-
-
C:\Users\Admin\Documents\EzuEXS8dApB3BE6Hc9FiRIij.exe"C:\Users\Admin\Documents\EzuEXS8dApB3BE6Hc9FiRIij.exe"6⤵
-
-
C:\Users\Admin\Documents\uoLOl1_DPUSYcPJYVctdRbDj.exe"C:\Users\Admin\Documents\uoLOl1_DPUSYcPJYVctdRbDj.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"8⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\jingzhang.exe"C:\Users\Admin\AppData\Local\Temp\jingzhang.exe" end8⤵
-
-
-
-
C:\Users\Admin\Documents\tELAXCDhYWTYngRcwTH3uhCt.exe"C:\Users\Admin\Documents\tELAXCDhYWTYngRcwTH3uhCt.exe"6⤵
-
-
C:\Users\Admin\Documents\FmrxAUD7PaWX0TD8pqNfEA_x.exe"C:\Users\Admin\Documents\FmrxAUD7PaWX0TD8pqNfEA_x.exe"6⤵
-
-
C:\Users\Admin\Documents\6C8NDRa8ZWASrOlnlvknaTUg.exe"C:\Users\Admin\Documents\6C8NDRa8ZWASrOlnlvknaTUg.exe"6⤵
-
-
C:\Users\Admin\Documents\xaVcIaLMcKnT2dO7G3NwYmcG.exe"C:\Users\Admin\Documents\xaVcIaLMcKnT2dO7G3NwYmcG.exe"6⤵
-
C:\Users\Admin\Documents\xaVcIaLMcKnT2dO7G3NwYmcG.exeC:\Users\Admin\Documents\xaVcIaLMcKnT2dO7G3NwYmcG.exe7⤵
-
-
-
C:\Users\Admin\Documents\QnAbSgUdfbQUZeTig9XKpwMC.exe"C:\Users\Admin\Documents\QnAbSgUdfbQUZeTig9XKpwMC.exe"6⤵
-
C:\Users\Admin\Documents\QnAbSgUdfbQUZeTig9XKpwMC.exe"C:\Users\Admin\Documents\QnAbSgUdfbQUZeTig9XKpwMC.exe"7⤵
-
-
-
C:\Users\Admin\Documents\nPx9XUpu4wfDkQ84NXgdjCjP.exe"C:\Users\Admin\Documents\nPx9XUpu4wfDkQ84NXgdjCjP.exe"6⤵
-
-
C:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exe"C:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exe"6⤵
-
C:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exeC:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exe7⤵
-
-
C:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exeC:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exe7⤵
-
-
C:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exeC:\Users\Admin\Documents\dG_gnxlGwCE37YtnuZUL_NnV.exe7⤵
-
-
-
C:\Users\Admin\Documents\6JdRrULdl615P4V6dWqSKsZG.exe"C:\Users\Admin\Documents\6JdRrULdl615P4V6dWqSKsZG.exe"6⤵
-
C:\Users\Admin\Documents\6JdRrULdl615P4V6dWqSKsZG.exeC:\Users\Admin\Documents\6JdRrULdl615P4V6dWqSKsZG.exe7⤵
-
-
-
C:\Users\Admin\Documents\6PQ7smpL4Jpu3HZ4SezCuRQD.exe"C:\Users\Admin\Documents\6PQ7smpL4Jpu3HZ4SezCuRQD.exe"6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru7⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6574f50,0x7fef6574f60,0x7fef6574f708⤵
-
-
-
-
C:\Users\Admin\Documents\YpljaBR9fxsT2L_garcTGle0.exe"C:\Users\Admin\Documents\YpljaBR9fxsT2L_garcTGle0.exe"6⤵
-
-
C:\Users\Admin\Documents\BXAGJ5fYenXzHBXFbPxj_xJT.exe"C:\Users\Admin\Documents\BXAGJ5fYenXzHBXFbPxj_xJT.exe"6⤵
-
-
C:\Users\Admin\Documents\DTXymH9Dym3rQUFvOEQ3b1Qn.exe"C:\Users\Admin\Documents\DTXymH9Dym3rQUFvOEQ3b1Qn.exe"6⤵
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"7⤵
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"8⤵
-
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"8⤵
-
-
C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"C:\Program Files (x86)\Browzar\MrGh6bEH0L0a.exe"8⤵
-
-
-
C:\Program Files (x86)\Browzar\Browzar.exe"C:\Program Files (x86)\Browzar\Browzar.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_7.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_7.exearnatic_7.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_7.exeC:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_7.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c arnatic_5.exe4⤵
- Loads dropped DLL
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zSCC611735\arnatic_5.exearnatic_5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6288597.exe"C:\Users\Admin\AppData\Roaming\6288597.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\4229161.exe"C:\Users\Admin\AppData\Roaming\4229161.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\7325701.exe"C:\Users\Admin\AppData\Roaming\7325701.exe"2⤵
-
-
C:\Users\Admin\AppData\Roaming\2614852.exe"C:\Users\Admin\AppData\Roaming\2614852.exe"2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {893BAD95-1048-42B1-A2D2-E55D965A7A8A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\vcbgjguC:\Users\Admin\AppData\Roaming\vcbgjgu2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\EC33.exeC:\Users\Admin\AppData\Local\Temp\EC33.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EC33.exeC:\Users\Admin\AppData\Local\Temp\EC33.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22ED.exeC:\Users\Admin\AppData\Local\Temp\22ED.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\24A2.exeC:\Users\Admin\AppData\Local\Temp\24A2.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
304KB
-
Filesize
452KB
-
Filesize
1.1MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
120KB
-
Filesize
252KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
372KB
-
Filesize
1.0MB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
5.3MB
-
Filesize
4KB
-
Filesize
108KB
-
Filesize
452KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB