Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Complete_P...e2.rar

windows7-x64

10

Complete_P...e2.rar

windows10-2004-x64

3

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

1

langs/English.ini

windows7-x64

1

langs/English.ini

windows10-2004-x64

1

langs/Hungarian.ps1

windows7-x64

1

langs/Hungarian.ps1

windows10-2004-x64

1

langs/Korean.ps1

windows7-x64

1

langs/Korean.ps1

windows10-2004-x64

1

Resubmissions

02/12/2022, 04:06

221202-en6ymacb27 10

29/11/2022, 08:17

221129-j625lsbf28 10

28/11/2022, 08:49

221128-krf49sah64 10

24/11/2022, 09:42

221124-lpgtfshe6t 10

Analysis

  • max time kernel
    279s
  • max time network
    307s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28/11/2022, 08:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Complete_Pass_1234_Active_Ze2.rar

  • Size

    5.9MB

  • MD5

    c87e04df8126ad203b0e308f50813300

  • SHA1

    7b75cfd2b2a9bb9e2a13bc3b0059ef6020852b49

  • SHA256

    25973e904b1bcfe98a83e2b20e801b8e0781889bc61e238df4066ad7944a2829

  • SHA512

    4ab59609eeab13a0a5868b394c1384cae082bc1ad80834406a16afc7b78a08c71d9cf135db66fe06ba8190911d93a367a9f725be4135e2e9a5c508c4ea1d585f

  • SSDEEP

    98304:isFSJq3U7FPJEVjmLGRD8whMjx2ho4O6ONhw8UBwsOzUOcMWraZ6Vz1Ku43jqrAN:9AJqYPJEVjmu2Z6EwjBw7aMge6SNjqri

Score
10/10
vidar1364discoveryevasionspywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1364

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531
Attributes
  • profile_id

    1364

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Complete_Pass_1234_Active_Ze2.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Complete_Pass_1234_Active_Ze2.rar
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Complete_Pass_1234_Active_Ze2.rar"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Users\Admin\AppData\Local\Temp\7zOCC32451E\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\7zOCC32451E\Setup.exe"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Executes dropped EXE
          • Checks BIOS information in registry
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Checks processor information in registry
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:316
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zOCC32451E\Setup.exe" & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1092
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 6
              6⤵
              • Delays execution with timeout.exe
              PID:1756
  • C:\Users\Admin\Desktop\Setup.exe
    "C:\Users\Admin\Desktop\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Executes dropped EXE
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:1736

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\freebl3.dll
    Filesize

    669KB

    MD5

    550686c0ee48c386dfcb40199bd076ac

    SHA1

    ee5134da4d3efcb466081fb6197be5e12a5b22ab

    SHA256

    edd043f2005dbd5902fc421eabb9472a7266950c5cbaca34e2d590b17d12f5fa

    SHA512

    0b7f47af883b99f9fbdc08020446b58f2f3fa55292fd9bc78fc967dd35bdd8bd549802722de37668cc89ede61b20359190efbfdf026ae2bdc854f4740a54649e

    Download Submit

  • C:\ProgramData\mozglue.dll
    Filesize

    16KB

    MD5

    2b73a0fe3142beaf10a98609c951cf25

    SHA1

    825e831cbce8dc89ef6859c4bf2f497cb09cb397

    SHA256

    2cd81367cec5f8eb1ac3eeb048487667345ea1b974b6ccb003d777c499293cd0

    SHA512

    bdd332212c5014f43ebf28ebeb0f4a7021de3c8126b4e34dc9979aab6fdc5fe42c2d0b419bbf188719df537c8285fdbff541e3d3ada5c1d3fd953f3d057d0668

    Download Submit

  • C:\ProgramData\msvcp140.dll
    Filesize

    439KB

    MD5

    5ff1fca37c466d6723ec67be93b51442

    SHA1

    34cc4e158092083b13d67d6d2bc9e57b798a303b

    SHA256

    5136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062

    SHA512

    4802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546

    Download Submit

  • C:\ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • C:\ProgramData\softokn3.dll
    Filesize

    251KB

    MD5

    4e52d739c324db8225bd9ab2695f262f

    SHA1

    71c3da43dc5a0d2a1941e874a6d015a071783889

    SHA256

    74ebbac956e519e16923abdc5ab8912098a4f64e38ddcb2eae23969f306afe5a

    SHA512

    2d4168a69082a9192b9248f7331bd806c260478ff817567df54f997d7c3c7d640776131355401e4bdb9744e246c36d658cb24b18de67d8f23f10066e5fe445f6

    Download Submit

  • C:\ProgramData\vcruntime140.dll
    Filesize

    78KB

    MD5

    a37ee36b536409056a86f50e67777dd7

    SHA1

    1cafa159292aa736fc595fc04e16325b27cd6750

    SHA256

    8934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825

    SHA512

    3a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
    Filesize

    471B

    MD5

    17c9251f8ba70b81b8125fe62663bb02

    SHA1

    a74b718f0b771124a67176bb1e555ad6bcc058b6

    SHA256

    d75593736a6343634236915b30de716349ab0bda14c8a6102e3b3fb06233f0bb

    SHA512

    c7d652f85dc0553a54528746f820511468b5e8b267e34941cc0bce40575b5f0d068965848ab1942dfc26402c1475f849f8b7e1b030211b7c2e7a10b46c2c7be2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c33af3ea7f03120cdabfe06b252e51c4

    SHA1

    fb31140c00eb8d69fcf60203a39bee89ce387be6

    SHA256

    e4719391700147abb7c3efd202baa694f9e9c54ee251d4a23d0417061b3fd9ec

    SHA512

    5f096660e6da3e438bed0aa52a8628fb9fb6a2aac7922aa92f8e984b305314c1e635f5ba634f02eae6ed6930c8a5bfc5dbc36940353520850f1df9f36806c7bd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619
    Filesize

    430B

    MD5

    a272b97f5a4a6933326e631b9746e195

    SHA1

    55f528bbdcba2371e816d5a05f5d985bd34f407b

    SHA256

    21eaee5a681115dc0ad342ca2a0322d2f90c47a131a6925d6aacb07ac48193f6

    SHA512

    4eb4fdc93e51bfffe63e0fa7e4f74e24f664f659ef2c5f56e0699b9b34f8e91e8cfb900acd0182fcdf5ff1ff2cb93b67bd06dda477c5f3b492382469674a19af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zOCC32451E\Setup.exe
    Filesize

    402.5MB

    MD5

    067d3c879130afc47174ba47b13e43ac

    SHA1

    7a904662e1b30d84ef00011d5b5fb41eda3d338e

    SHA256

    6f82b1cf599c76bc579116a448fc4140b73074593fde03ac4848b55e63486eaf

    SHA512

    663b0744020e5ef0e8e5f327e98471df6225153e2dadc02eb602461332d462cf1c00189c9179ccd4024b1138dd4cd984f2a43ab81ea4f2db889f9913c8fc34c8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zOCC32451E\Setup.exe
    Filesize

    402.5MB

    MD5

    067d3c879130afc47174ba47b13e43ac

    SHA1

    7a904662e1b30d84ef00011d5b5fb41eda3d338e

    SHA256

    6f82b1cf599c76bc579116a448fc4140b73074593fde03ac4848b55e63486eaf

    SHA512

    663b0744020e5ef0e8e5f327e98471df6225153e2dadc02eb602461332d462cf1c00189c9179ccd4024b1138dd4cd984f2a43ab81ea4f2db889f9913c8fc34c8

    Download Submit

  • C:\Users\Admin\Desktop\Setup.exe
    Filesize

    175.9MB

    MD5

    fdf1b169eda05b208591f5250dcafb22

    SHA1

    e08d679936ea4847809d626fd9cb0a367e361461

    SHA256

    7d074438e048dabe2aaa94554579b30603c4970c34b9054266ed487fb9d94232

    SHA512

    8b818482c44883d19e3c738dcbf54656a2a3f99e1540c39f0e11fb43a53b10d78ac354c93845a198f6b6851f984c5af2f94eb56ef5666533b198a7fbb491f1bd

    Download Submit

  • C:\Users\Admin\Desktop\Setup.exe
    Filesize

    174.7MB

    MD5

    b0bd458c274af4eef22da507b498b0e0

    SHA1

    577c7e30b580a9d6bdad4ae39a0b4ef4416c3ba3

    SHA256

    4d17814725e52fc0b447bfe8c635e326927b513ecd48aeb762e74677cc95253a

    SHA512

    a01736ac16093c074babed63bc07d5f7a2311aead2541e9a0c50b86c734c531516b6c2cf5b15cf52bc99b1a35e2e67d66a5a5c1d323d25dbcb34d4c27b7accb0

    Download Submit

  • \ProgramData\mozglue.dll
    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

    Download Submit

  • \ProgramData\nss3.dll
    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

    Download Submit

  • memory/316-92-0x0000000077380000-0x0000000077500000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/316-89-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-98-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-99-0x00000000516D0000-0x00000000517C3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/316-96-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-95-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-94-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-93-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-97-0x0000000077380000-0x0000000077500000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/316-132-0x0000000077380000-0x0000000077500000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/316-87-0x00000000759C1000-0x00000000759C3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/316-88-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-91-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-90-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/316-131-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-123-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-54-0x000007FEFBA21000-0x000007FEFBA23000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1736-129-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-137-0x00000000517D0000-0x00000000518C3000-memory.dmp

    Filesize

    972KB

    Download

  • memory/1736-139-0x0000000077380000-0x0000000077500000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1736-141-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-128-0x0000000077380000-0x0000000077500000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1736-127-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-126-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-125-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download

  • memory/1736-124-0x0000000000400000-0x0000000000E4E000-memory.dmp

    Filesize

    10.3MB

    Download