Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15/04/2023, 09:25

General

  • Target

    file.exe

  • Size

    2.2MB

  • MD5

    c06097200ce77e7d68dc2ca18b183096

  • SHA1

    378e60eee98c8407808c05561b144537d0b22731

  • SHA256

    36de150cba3d3477191cbe04958e9f887725df1e2e21a92cb18887620238dea2

  • SHA512

    022cc8ea990c987f95f1c50fbaaa4fd40568722574393183e17fe5bca8ab18f5b5ac44054b3708d616ff5b1065be0da1b6040024edc6ab610e5a908cb9eab2ec

  • SSDEEP

    49152:MqfnQVsS7590/aJKx0Wp8BKgZsj8oZ703EPaaX8nlRMAEL:MqfQjN90/eKuWp8WfZY3naXiMl

Malware Config

Extracted

Family

vidar

Version

3.4

Botnet

76b614a229b9a88f7d0ba57796ab0fc2

C2

https://steamcommunity.com/profiles/76561199494593681

https://t.me/auftriebs

Attributes
  • profile_id_v2

    76b614a229b9a88f7d0ba57796ab0fc2

  • user_agent

    Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:105.0) Gecko/20100101 Firefox/105.0

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
      2⤵
        PID:900
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
        2⤵
          PID:2004
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
          2⤵
            PID:1420
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
            2⤵
              PID:296
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
              2⤵
                PID:1312
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
                2⤵
                  PID:968
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                  2⤵
                    PID:568
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                    2⤵
                      PID:516
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                      2⤵
                        PID:1912
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                        2⤵
                          PID:652
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                          2⤵
                            PID:460
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
                            2⤵
                              PID:1492
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                              2⤵
                                PID:1476
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                                2⤵
                                  PID:608
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                                  2⤵
                                    PID:1908
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
                                    2⤵
                                    • Suspicious use of WriteProcessMemory
                                    PID:1788
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 1788 -s 304
                                      3⤵
                                      • Program crash
                                      PID:240

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/860-55-0x0000000000A40000-0x0000000000FE4000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/860-57-0x000007FE80010000-0x000007FE80011000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/860-56-0x0000000000060000-0x0000000000061000-memory.dmp

                                  Filesize

                                  4KB

                                • memory/860-58-0x000000001B740000-0x000000001B7FC000-memory.dmp

                                  Filesize

                                  752KB

                                • memory/860-59-0x000000001B8B0000-0x000000001B930000-memory.dmp

                                  Filesize

                                  512KB

                                • memory/860-62-0x0000000000A40000-0x0000000000FE4000-memory.dmp

                                  Filesize

                                  5.6MB

                                • memory/1788-60-0x0000000000400000-0x000000000048D000-memory.dmp

                                  Filesize

                                  564KB