Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20220901-en -
submitted
11/09/2022, 06:47 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d311d95c1cbae9b5a21e2c52995a2ae6.exe
Resource
win7-20220901-en
2 signatures
150 seconds
General
-
Target
d311d95c1cbae9b5a21e2c52995a2ae6.exe
-
Size
375KB
-
MD5
d311d95c1cbae9b5a21e2c52995a2ae6
-
SHA1
e6334f2bd1a4fc2926acff2888abb6835605ce70
-
SHA256
33736e8940993c97705403cdbef1ceacb862b4a2fd126cd99b58718b937a9362
-
SHA512
abe975a92068a9a77f9e0bff43bc12d66f330e2ae92edc45abc1367168c61477cf6fcba1368e20467576f473aca7d09ad14c97d3417b557f26fb79221a4bcf24
-
SSDEEP
6144:HhtAlyCzt2Lmi0WCQD4erl+IPNqh/cDluYEBKTm46X0V77AoHuASdOX:HhtAPMmi0WCqvrl+IlNl/EkTmfEVdsOX
Malware Config
Extracted
Family
vidar
Version
54.2
Botnet
1438
C2
https://t.me/tigogames
https://ioc.exchange/@tiagoa26
Attributes
-
profile_id
1438
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1200 set thread context of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28 PID 1200 wrote to memory of 832 1200 d311d95c1cbae9b5a21e2c52995a2ae6.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe"C:\Users\Admin\AppData\Local\Temp\d311d95c1cbae9b5a21e2c52995a2ae6.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:832
-
Network
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:8.8.8.8:53Requestioc.exchangeIN AResponseioc.exchangeIN A45.79.113.18
-
Remote address:8.8.8.8:53Requestioc.exchangeIN AResponseioc.exchangeIN A45.79.113.18
-
Remote address:45.79.113.18:443RequestGET /@tiagoa26 HTTP/1.1
Host: ioc.exchange
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-8gqSD2F83Vb0xKH1NjPMhQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: f3e7c538-3a35-4997-8a51-b3fab3376d44
X-Runtime: 0.017405
Strict-Transport-Security: max-age=63072000; includeSubDomains
-
Remote address:8.8.8.8:53Requestapps.identrust.comIN AResponseapps.identrust.comIN CNAMEidentrust.edgesuite.netidentrust.edgesuite.netIN CNAMEa1952.dscq.akamai.neta1952.dscq.akamai.netIN A96.16.53.134a1952.dscq.akamai.netIN A96.16.53.139
-
Remote address:96.16.53.134:80RequestGET /roots/dstrootcax3.p7c HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: apps.identrust.com
ResponseHTTP/1.1 200 OK
Strict-Transport-Security: max-age=15768000
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'self' *.identrust.com
Last-Modified: Mon, 20 Jun 2022 20:24:00 GMT
ETag: "37d-5e1e6e25c9800"
Accept-Ranges: bytes
Content-Length: 893
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Type: application/pkcs7-mime
Cache-Control: max-age=3600
Expires: Sun, 11 Sep 2022 07:47:16 GMT
Date: Sun, 11 Sep 2022 06:47:16 GMT
Connection: keep-alive
-
Remote address:45.79.113.18:443RequestGET /@tiagoa26 HTTP/1.1
Host: ioc.exchange
Cookie: _mastodon_session=jFUQzjRlkNqBkEJZt3gR6jzp8EP47KegAYv4%2FTTv6tTqBBUCYEZMxb%2Bg9LeqObTUiut10y8zjm4eH%2Ft0Ju337rM1KDrfd5xUoiP8qFtW%2BMXz5Fd%2BTQYhhFgGuHYq4Z6tJiQ01cFKt7n2I8TrQ3almfjuq0tq3OeKD1zNOAW52KOOHD91jXvAADjj9FMztJw%2FNplHE3FouOMASC9In5w5XRo5PBSCM81HG4MPOPw%2FGiaV--n83Zgxr304%2BYYamn--mioCaAhHDxzkRt4HVEBhQQ%3D%3D
ResponseHTTP/1.1 403 Forbidden
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Server: Mastodon
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Permissions-Policy: interest-cohort=()
Cache-Control: max-age=180, public
Vary: Accept-Encoding, Origin
Content-Security-Policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://ioc.exchange; img-src 'self' https: data: blob: https://ioc.exchange; style-src 'self' https://ioc.exchange 'nonce-0EUEagqiKTh4UwIOeD2TQQ=='; media-src 'self' https: data: https://ioc.exchange; frame-src 'self' https:; manifest-src 'self' https://ioc.exchange; connect-src 'self' data: blob: https://ioc.exchange https://files.ioc.exchange wss://ioc.exchange; script-src 'self' https://ioc.exchange; child-src 'self' blob: https://ioc.exchange; worker-src 'self' blob: https://ioc.exchange
Set-Cookie: _mastodon_session=1ARKwSnmt90Wsy8LrX2PQu7t3gV9%2FojPRctrBXd9lgIiHEJV%2B30TvqA83%2FKodtDKeijmhTpxbCzBHzIjMx6nM8TbSTi8ZAc7J0NgXmkaMlk11tQzyRU%2FNZJqC187DfzcvhOGWhXXesRSADyU%2B9vgXaXPtrbD2z75CPJkyd4%2F5GYx0SWIUjMsYoKCikuH443UvmmaeM5GHPm%2F3XDmtjLyLUbAWOPGNuvDRc92D2fTw%2FVc--D6kbwhidbVl2aEuk--vQRYhSqMCGA0VpeLmgZf1A%3D%3D; path=/; HttpOnly; SameSite=Lax; secure
X-Request-Id: 09c95e90-352c-48b6-8eb7-f07c685525c2
X-Runtime: 0.014338
Strict-Transport-Security: max-age=63072000; includeSubDomains
-
385 B 219 B 5 5
-
347 B 219 B 5 5
-
288 B 219 B 5 5
-
190 B 92 B 4 2
-
924 B 8.0kB 11 15
HTTP Request
GET https://ioc.exchange/@tiagoa26HTTP Response
403 -
369 B 1.6kB 5 4
HTTP Request
GET http://apps.identrust.com/roots/dstrootcax3.p7cHTTP Response
200 -
385 B 219 B 5 5
-
347 B 219 B 5 5
-
288 B 219 B 5 5
-
190 B 92 B 4 2
-
1.0kB 3.3kB 7 9
HTTP Request
GET https://ioc.exchange/@tiagoa26HTTP Response
403
-
50 B 66 B 1 1
DNS Request
t.me
DNS Response
149.154.167.99
-
116 B 148 B 2 2
DNS Request
ioc.exchange
DNS Request
ioc.exchange
DNS Response
45.79.113.18
DNS Response
45.79.113.18
-
64 B 165 B 1 1
DNS Request
apps.identrust.com
DNS Response
96.16.53.13496.16.53.139