Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    5s
  • max time network
    7s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/01/2023, 05:43

General

  • Target

    LoaderVIP.exe

  • Size

    16KB

  • MD5

    497466ba1ebbb8fa534926f620d05825

  • SHA1

    a6a3ed16390df2848ae3467d4309483c309c1886

  • SHA256

    989a0d6488c53005814f0ce89e01814ef67df76de32c6ca7e26de27a38eca0b6

  • SHA512

    f2bb8a7b18e31266622bd2639a5713743b7b2d21bcb7d9e331964d1a3d892ba3f69747f889e6736d25b18ca4b4eab4651975571b450e810871b0c84ee7a06248

  • SSDEEP

    384:VL9SDQZxLTehau23G6c1YwfN09t6cDE33DhSHkON/GlfgOb5:pghaN39NwFJiE33VSEONulfgO

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe
    "C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\AF\Token.exe
      "C:\Windows\AF\Token.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\AF\Token.exe

    Filesize

    31KB

    MD5

    a5395109068698d637173dfff99f8c70

    SHA1

    403aab73d04cf403dc50c4073d0ae0050d331c27

    SHA256

    486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69

    SHA512

    9aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b

  • C:\Windows\AF\Token.exe

    Filesize

    31KB

    MD5

    a5395109068698d637173dfff99f8c70

    SHA1

    403aab73d04cf403dc50c4073d0ae0050d331c27

    SHA256

    486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69

    SHA512

    9aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b