Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
1VSCodeUser....3.exe
windows7-x64
10VSCodeUser....3.exe
windows10-2004-x64
10VSCodeUser...-1.dll
windows7-x64
3VSCodeUser...-1.dll
windows10-2004-x64
3VSCodeUser...10.dll
windows7-x64
3VSCodeUser...10.dll
windows10-2004-x64
3VSCodeUser...30.dll
windows7-x64
1VSCodeUser...30.dll
windows10-2004-x64
1VSCodeUser...re.dll
windows7-x64
1VSCodeUser...re.dll
windows10-2004-x64
1VSCodeUser...bs.dll
windows7-x64
1VSCodeUser...bs.dll
windows10-2004-x64
3VSCodeUser...ds.dll
windows7-x64
1VSCodeUser...ds.dll
windows10-2004-x64
7VSCodeUser...ec.dll
windows7-x64
1VSCodeUser...ec.dll
windows10-2004-x64
1VSCodeUser...ic.dll
windows7-x64
1VSCodeUser...ic.dll
windows10-2004-x64
1VSCodeUser...l2.dll
windows7-x64
1VSCodeUser...l2.dll
windows10-2004-x64
3VSCodeUser...ts.xml
windows7-x64
1VSCodeUser...ts.xml
windows10-2004-x64
1VSCodeUser...el.exe
windows7-x64
VSCodeUser...el.exe
windows10-2004-x64
Resubmissions
04/02/2023, 21:43
230204-1lbwcseg47 10Analysis
-
max time kernel
150s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
04/02/2023, 21:43
Static task
static1
Behavioral task
behavioral1
Sample
VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgcc_s_seh-1.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll
Resource
win7-20221111-en
Behavioral task
behavioral6
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgmp-10.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/fold/libgnutls-30.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll
Resource
win7-20220901-en
Behavioral task
behavioral10
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcore.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll
Resource
win7-20221111-en
Behavioral task
behavioral12
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfcsubs.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral13
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll
Resource
win7-20220812-en
Behavioral task
behavioral14
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfds.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral15
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll
Resource
win7-20220901-en
Behavioral task
behavioral16
Sample
VSCodeUserSetup-x64-1.74.3/upl/app/resources/mfdvdec.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral17
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll
Resource
win7-20220812-en
Behavioral task
behavioral18
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MemoryDiagnostic.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral19
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll
Resource
win7-20221111-en
Behavioral task
behavioral20
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/MessagingDataModel2.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral21
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml
Resource
win7-20220901-en
Behavioral task
behavioral22
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/docs/defaults.xml
Resource
win10v2004-20221111-en
Behavioral task
behavioral23
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.exe
Resource
win7-20220812-en
Behavioral task
behavioral24
Sample
VSCodeUserSetup-x64-1.74.3/upl/locales/mcupdate_GenuineIntel.exe
Resource
win10v2004-20220812-en
General
-
Target
VSCodeUserSetup-x64-1.74.3/VSCodeUserSetup-x64-1.74.3.exe
-
Size
680.7MB
-
MD5
07e845f93ca6fcbd10bad391aa94eaa0
-
SHA1
340a9c9c85644f973302a694686eb8cba8ab1876
-
SHA256
369ad6d01ffbd5af4a4da72d648afb41af0b694bbb05a39be0f4314daddce219
-
SHA512
44d5ff91002d37cb994b736cf350cbb61fde7ae618a4404950921f49f3f9488341212229cff0b411b20d800f99b7cfa612684ccf4543b613ab41f3ee81bd8aeb
-
SSDEEP
98304:VQF9SqUKUehGS26Ish7MUTjA+1VFnqWXvqaY4tp4:VSSzMGS26x1MUTM+/Fha
Malware Config
Signatures
-
Detect PureCrypter injector 1 IoCs
resource yara_rule behavioral1/memory/1612-66-0x0000000006450000-0x00000000067F0000-memory.dmp family_purecrypter -
PureCrypter
PureCrypter is a .NET malware loader first seen in early 2021.
-
Executes dropped EXE 2 IoCs
pid Process 1712 voiceadequovl.exe 1612 voiceadequovl.exe -
Loads dropped DLL 4 IoCs
pid Process 1712 voiceadequovl.exe 1712 voiceadequovl.exe 1712 voiceadequovl.exe 1712 voiceadequovl.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" VSCodeUserSetup-x64-1.74.3.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce VSCodeUserSetup-x64-1.74.3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1796 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1612 voiceadequovl.exe Token: SeDebugPrivilege 1796 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1372 wrote to memory of 1712 1372 VSCodeUserSetup-x64-1.74.3.exe 28 PID 1372 wrote to memory of 1712 1372 VSCodeUserSetup-x64-1.74.3.exe 28 PID 1372 wrote to memory of 1712 1372 VSCodeUserSetup-x64-1.74.3.exe 28 PID 1372 wrote to memory of 1712 1372 VSCodeUserSetup-x64-1.74.3.exe 28 PID 1712 wrote to memory of 1612 1712 voiceadequovl.exe 29 PID 1712 wrote to memory of 1612 1712 voiceadequovl.exe 29 PID 1712 wrote to memory of 1612 1712 voiceadequovl.exe 29 PID 1712 wrote to memory of 1612 1712 voiceadequovl.exe 29 PID 1612 wrote to memory of 1796 1612 voiceadequovl.exe 30 PID 1612 wrote to memory of 1796 1612 voiceadequovl.exe 30 PID 1612 wrote to memory of 1796 1612 voiceadequovl.exe 30 PID 1612 wrote to memory of 1796 1612 voiceadequovl.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\VSCodeUserSetup-x64-1.74.3.exe"C:\Users\Admin\AppData\Local\Temp\VSCodeUserSetup-x64-1.74.3\VSCodeUserSetup-x64-1.74.3.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\voiceadequovl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"C:\Users\Admin\AppData\Roaming\Voice\voiceadequovl.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA1AA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
365.5MB
MD5ba50f2bca86ba947a8d2035bb9b35123
SHA1a542b5c5d41174dc2475a219978123b7d14f958f
SHA25617790c5c071280462ed8e617fd2edfff5bf0f40fb9add57f866f058fdbf24cb5
SHA51208fdb619e411247c571710bc47df2463c95dc2fee82025e548b65ff1a3e4a53e663fafec9bcc5cc234f32211b25f6f9472786c1be543eb71629f32ec09f04379
-
Filesize
236.9MB
MD53c508eca597bc1209466dce72afc2fbd
SHA132bb6b7d4f4cbe8145d7f7cb7b578153a85fad7f
SHA2561a0a02a9e7051732843c300da2c31070d400060e8868a3b07c38a61e07904dea
SHA512150802ec0ee5839562c8de21ad9ad8c35138fd730fefb3ebfbf2d1e7475bff084d721db74596b468419b5340a4f7297d92f7d5dbc41d0da199e4055baa5a7cc3
-
Filesize
239.0MB
MD54f49742532a0bb78ce2877d5d63a8b4a
SHA168e0a501168343647a024d0e12cfc894c5bbb80f
SHA2569dbe9a9e51373866ed5f10b4508c3a4a6c054e1b2eb061fc112d6cf8715f28c6
SHA5121f4a2748fe3a68ff3cccefd5781580a57bdc1fdec7ab391f1809cb7d39a2fe47997b45fe4963f1e512a9bcbe0322644ff17027ad5143d422b9974228d6fd54bf
-
Filesize
284.1MB
MD58f95687c7276e0f4f7dc27a5e6fce19f
SHA1305df226954bf1d142838c5e2559188d8328346b
SHA256f67c4fefe26eefb201e4af33685c5adc3115130ca0ca224ebe49b52786f56e1b
SHA512d9400deed7317654ca29d1eef4678967b4734f738e4ca90e22e2c635d935d40d5ba00bbbec7e1f371018decf148d1dfac523de657f12f381abee675246b22810
-
Filesize
260.1MB
MD5ec1fcac91b797dcfd85d95a8f9e82416
SHA11e35f7f52b71362fcf5eac45795983e85074a3ac
SHA2563786d7eb169bec735d48e582c79c2e4cb3f058cca40b086f838522937d5ac812
SHA5125e581f0d514e5f8f1c34a21974e4c6e152ef827968268d021a749282c4fce2e3685466bcf7c2026a7d09ad50d9f2fc0e5f5d98986e063a46931d26a06e7e0863
-
Filesize
274.7MB
MD5db32f2d9d34da9dbc2ff03c80906d511
SHA1de6c47607861be52ddcc34d2d262ccc241b964d2
SHA2567c081a1f8c99c9ea5f368a8e30c43c27caf2637ef90ce54359285aff0b2706a3
SHA51283923d9c434e67ab02f617efe1f26de4c7a81319136e91557e677ce05781577e198ed889dc977e8efa570d40b334bdf94e6f997a8f5711856aea93d33b81f696
-
Filesize
259.2MB
MD59f1700be5319ae7be6852dec17da1da1
SHA115d818206965c8945f86c3b39a79c67fb9fabe18
SHA256509bb4ad5afac46d14a082b39e57f383f0799a0b8076c9448a5b847dcba6da62
SHA512eaea0ffba7935b4251bdc92d9a2e3ec34e33e7dc0baa1b0ae7894c46348b829f504f76549b29fb1e8e29a69f1336332efbcd06afe823fdda52346d12f90cea08