Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
5s -
max time network
7s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
04/01/2023, 05:43
Static task
static1
Behavioral task
behavioral1
Sample
LoaderVIP.exe
Resource
win10v2004-20221111-en
General
-
Target
LoaderVIP.exe
-
Size
16KB
-
MD5
497466ba1ebbb8fa534926f620d05825
-
SHA1
a6a3ed16390df2848ae3467d4309483c309c1886
-
SHA256
989a0d6488c53005814f0ce89e01814ef67df76de32c6ca7e26de27a38eca0b6
-
SHA512
f2bb8a7b18e31266622bd2639a5713743b7b2d21bcb7d9e331964d1a3d892ba3f69747f889e6736d25b18ca4b4eab4651975571b450e810871b0c84ee7a06248
-
SSDEEP
384:VL9SDQZxLTehau23G6c1YwfN09t6cDE33DhSHkON/GlfgOb5:pghaN39NwFJiE33VSEONulfgO
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 3200 Token.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation LoaderVIP.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\AF\Token.exe LoaderVIP.exe File opened for modification C:\Windows\AF\Token.mentah LoaderVIP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3200 Token.exe 3200 Token.exe 3200 Token.exe 3200 Token.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 792 wrote to memory of 3200 792 LoaderVIP.exe 85 PID 792 wrote to memory of 3200 792 LoaderVIP.exe 85 PID 792 wrote to memory of 3200 792 LoaderVIP.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe"C:\Users\Admin\AppData\Local\Temp\LoaderVIP.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\AF\Token.exe"C:\Windows\AF\Token.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5a5395109068698d637173dfff99f8c70
SHA1403aab73d04cf403dc50c4073d0ae0050d331c27
SHA256486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69
SHA5129aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b
-
Filesize
31KB
MD5a5395109068698d637173dfff99f8c70
SHA1403aab73d04cf403dc50c4073d0ae0050d331c27
SHA256486b964b184390a950236bed26bd6dc69b68b516999a62f0a39666b327f54a69
SHA5129aa47e255416c77d34a5d3819a294d5b17c22179c5110db60cb5f2b509f736c1d7bdcd5fe129bceb298e57d43ade7165c51b04bde93832762e0455474157ed1b