Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
170s -
max time network
268s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
06/11/2022, 22:39
Static task
static1
Behavioral task
behavioral1
Sample
CA3 FreeSetupFileV02 - Pa$$word 2022/SetUP.exe
Resource
win7-20220812-en
4 signatures
150 seconds
General
-
Target
CA3 FreeSetupFileV02 - Pa$$word 2022/SetUP.exe
-
Size
918.4MB
-
MD5
a488674798590aed684cdc8c2fdd16ff
-
SHA1
aae82c45080a258098cfa0fa66036c9dbbfac127
-
SHA256
c1d4d437ff34ec90c2511201a6ad6565c5ce07243fcd58b03984a49e3828229a
-
SHA512
6a8aa6d4a14219adcd4b67c05b3a5a49fe2ab26109cd68033fd6b413d459346bed4af91d657401e5d0d598b927312f491f2ddf262196e83f6be88df83b5a5c0f
-
SSDEEP
98304:49aDr969NYW68s8FXbRMZoQV9/l82s5jzpDC/YC5v3nN0M86HKAQYKIIQRbtjnIK:VDr94qBlB/kdvau7F
Malware Config
Extracted
Family
vidar
Version
55.3
Botnet
1707
C2
https://t.me/slivetalks
https://c.im/@xinibin420
Attributes
-
profile_id
1707
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1096 set thread context of 1736 1096 SetUP.exe 28 -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 SetUP.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 SetUP.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28 PID 1096 wrote to memory of 1736 1096 SetUP.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\CA3 FreeSetupFileV02 - Pa$$word 2022\SetUP.exe"C:\Users\Admin\AppData\Local\Temp\CA3 FreeSetupFileV02 - Pa$$word 2022\SetUP.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Users\Admin\AppData\Local\Temp\CA3 FreeSetupFileV02 - Pa$$word 2022\SetUP.exe"C:\Users\Admin\AppData\Local\Temp\CA3 FreeSetupFileV02 - Pa$$word 2022\SetUP.exe"2⤵
- Modifies system certificate store
PID:1736
-