Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/S...

windows7-x64

1

https://github.com/S...

windows10-2004-x64

10

Analysis

  • max time kernel
    83s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/02/2023, 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip

Score
10/10
rhadamanthysvidar764spywarestealer

Malware Config

Extracted

Family

vidar

Version

2.4

Botnet

764

Attributes
  • profile_id

    764

Signatures

  • Detect rhadamanthys stealer shellcode 2 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Loads dropped DLL 3 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 3 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2868
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4688
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Supaporn341/git-ws-01-341/releases/download/py/appsetup_v11.9.zip
      1⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2268 CREDAT:17410 /prefetch:2
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3844
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2144
      • C:\Users\Admin\AppData\Local\Temp\Temp1_appsetup_v11.9.zip\appsetup_v11.9\Installer.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp1_appsetup_v11.9.zip\appsetup_v11.9\Installer.exe"
        1⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          2⤵
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:3476
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 1864
            3⤵
            • Program crash
            PID:3976
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 524
          2⤵
          • Program crash
          PID:1072
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 528
          2⤵
          • Program crash
          PID:4148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 3476 -ip 3476
        1⤵
          PID:3328
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2212 -ip 2212
          1⤵
            PID:2068
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2212 -ip 2212
            1⤵
              PID:3664

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • C:\ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\appsetup_v11.9.zip.6g4yy6w.partial
              Filesize

              5.7MB

              MD5

              8c292dab2adc607d597c8e414f157f60

              SHA1

              5001b2328f7cfe825fcfad06dcf29f5a2a56bed8

              SHA256

              b042491b5b9ddbf76b59e1c118272def53ec6f7b443601964b03867c68781750

              SHA512

              a857614164b863d344375df78de1a65cc7d444714df63b614df062d22e2864bf90b748e51250ea940462191d01493a8b212e72631783d0a88b4b48e03e3b1231

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\240589890.dll
              Filesize

              334KB

              MD5

              2303afbb371daf8ea5b5a4e231773781

              SHA1

              a0956adc94c9cce4a2aeb399328accde1b1326c6

              SHA256

              efdb9aa53580c9f3a8200e1a401d1c63c9e3a29a046857f6b89be0a64c2a1a31

              SHA512

              9aab7c7b55d507f28e688c5b8a41811069efb8d35bfbd92de0ffd86e1ceca2e5e681b5c85d51abd139a19f9c48f7a14c5b7e4b7ed540bd5d4a574c7d34d5857f

              Download Submit

            • memory/2212-133-0x000000000B4C0000-0x000000000B8BC000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2212-134-0x0000000000DE0000-0x0000000000F6C000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2212-135-0x000000000B4C0000-0x000000000B8BC000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2212-177-0x0000000000DE0000-0x0000000000F6C000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/2212-168-0x000000000B4C0000-0x000000000B8BC000-memory.dmp

              Filesize

              4.0MB

              Download

            • memory/2212-167-0x0000000000DE0000-0x0000000000F6C000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/3476-147-0x0000000050E70000-0x0000000050F63000-memory.dmp

              Filesize

              972KB

              Download

            • memory/3476-169-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3476-137-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3476-143-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3476-141-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3476-140-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/3476-139-0x0000000000400000-0x0000000000472000-memory.dmp

              Filesize

              456KB

              Download

            • memory/4688-146-0x0000000000790000-0x00000000007C3000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4688-144-0x0000000000790000-0x00000000007C3000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4688-170-0x0000000000790000-0x00000000007C3000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4688-171-0x0000000000C98000-0x0000000000CB2000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4688-172-0x0000000002560000-0x000000000257C000-memory.dmp

              Filesize

              112KB

              Download

            • memory/4688-173-0x0000000002690000-0x0000000003690000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4688-174-0x0000000000790000-0x00000000007C3000-memory.dmp

              Filesize

              204KB

              Download

            • memory/4688-175-0x0000000000C98000-0x0000000000CB2000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4688-176-0x0000000002560000-0x000000000257C000-memory.dmp

              Filesize

              112KB

              Download