Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    416s
  • max time network
    418s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    29/05/2023, 15:00

General

  • Target

    Loader.rar

  • Size

    1.9MB

  • MD5

    62a2e8de31c7835c4273eb2c60fe4924

  • SHA1

    22e2f5a99974f9e5b1566245f5f712d2bcef396e

  • SHA256

    52f72f2ef4dd5e569025da115c891438565efa9aaa400f31e3a61313a9ce4243

  • SHA512

    52b84f8c0fdf9d31bb0b371333ff8b4a67faf76e8e42a57c512b6a8951260ab076374ffea7922b92fac0d2bd4bae95ffd1151a0ee1e7310c95ddf086ed31416c

  • SSDEEP

    49152:7D/0DZee/Yor/5YJ2g4NzW1KPD+S0foazh/LfGGVrkNwJJy:7D0H/YoL5YJ2g4NzWMSSaxGGVgNwJJy

Malware Config

Extracted

Family

vidar

Version

4

Botnet

24108ab9b5f23bbf924b5eff629e21b6

C2

https://steamcommunity.com/profiles/76561199508624021

https://t.me/looking_glassbot

Attributes
  • profile_id_v2

    24108ab9b5f23bbf924b5eff629e21b6

  • user_agent

    Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Loader.rar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\system32\rundll32.exe
      "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Loader.rar
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Program Files\7-Zip\7zFM.exe
        "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:992
  • C:\Users\Admin\Desktop\New folder\Loader.exe
    "C:\Users\Admin\Desktop\New folder\Loader.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1660
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
      "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
      2⤵
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1864 -s 1416
        3⤵
        • Program crash
        PID:1732

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

  • C:\Users\Admin\AppData\Local\Temp\7zE0E3EBA1E\Data\Main.ini

    Filesize

    1KB

    MD5

    7b53ebd64e5781e02eaefb6739a6b556

    SHA1

    d5332b200cf5dcea0419afdb66a15d89b9eb619f

    SHA256

    b975c9251ef7394dcc69f49e54dc5aa5e8df32f9b5e8c687484ddd840eb94d20

    SHA512

    c4a25c07e19760547e91818ba6e9ec3fe89206c29429668731c7563b7407cb56d8c0adca519bf96dc82a1631e82cfe63b68439cad4102ea2a1df438bac8400fd

  • C:\Users\Admin\AppData\Local\Temp\Tar3951.tmp

    Filesize

    164KB

    MD5

    4ff65ad929cd9a367680e0e5b1c08166

    SHA1

    c0af0d4396bd1f15c45f39d3b849ba444233b3a2

    SHA256

    c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

    SHA512

    f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

  • C:\Users\Admin\Desktop\New folder\Bin\DebugPPF.tmp

    Filesize

    11KB

    MD5

    b1e68fabd5c19aaa21de6351554aae2e

    SHA1

    66e7cf5d041a6ed9252ee4f6104ec0abb57d60b8

    SHA256

    63909409d9c79950289701c4a58605ea7fcd30703163fce0b4ac81204f0b3cca

    SHA512

    6e080f64d583e29a503282022ba587eb88903e2cf2bf943f9f9849fedf7f25dbfdeb02fae2803f03acf18b7a2bb37be1a1834e3b5ef7ef9098cfb0ee80a410dd

  • C:\Users\Admin\Desktop\New folder\Bin\DebugPPT.tmp

    Filesize

    11KB

    MD5

    4969578a5fd8d113ab7783812849c1ed

    SHA1

    580f84362a74337b2ed25bd58700e9a002e51bc9

    SHA256

    9f2b02ba814c2975a7b6ed5aa03345046a9c9d3036481a8a109b132a951e82a0

    SHA512

    49dc150be750ff0a5b03fbe384debcc136d6dad513fa1c6284469de8e8aed1b865b2bd8271937030818094bcc5358dde6e146e3c784dd88fa9681a84c7a557ef

  • C:\Users\Admin\Desktop\New folder\Bin\Management.log

    Filesize

    4.4MB

    MD5

    9d0c67e9919bf40cf0922a41b9608d0b

    SHA1

    3d958b0cf3368e80a1a32ce46902afd52ecfd65b

    SHA256

    5a378d06740e469685f565fcf77dd598d4a7ea698023152410ebf75b7cd2cb1e

    SHA512

    b188da97920cc10ab6bdb448ec3c0ba7ad92eb1ef000cfce73430aff0dd660b3025bc39a3a9bcd7fb531b2d3382c052d01e4ecf9f59d36b954c6fe6471baf1c6

  • C:\Users\Admin\Desktop\New folder\Data\Language.pimx

    Filesize

    22KB

    MD5

    01fbf905f95578b7c2eb370d5bd867b6

    SHA1

    6688f78f5afba9bbabca1a398371c063f67447c2

    SHA256

    a17506a018994501e0cf6847ceee97f7cd9ffcffc48b256d180175256ff5c0f7

    SHA512

    321c7c325dd886f7a154e7aed21b5e8789cd3ec28a0dd87ade8702524857fb2ff271fca16833f2d393ce9ca45cb6b0b87470357ace1bf49d65e7e0efdf423aa5

  • C:\Users\Admin\Desktop\New folder\Data\Packaged\Resource.dll

    Filesize

    189B

    MD5

    4427aeee68321d0f4d7befa74e669f83

    SHA1

    4670003762a1c217c9e8ea48fcc53f2871a7c341

    SHA256

    a9661f89b8d957f4e71cbe1ba0342a39e5b50a1d80d974e2e1b349a273967f1b

    SHA512

    9d9156aa8fdebf19363fed2edb82235642c8c20549369470e44fdc0db41324e2160968fd7dd43eecce1ce3da9c03dd05cdefc8d903a9d0394f5ca9a73f5c5fa3

  • C:\Users\Admin\Desktop\New folder\Data\Packaged\Utils.dll

    Filesize

    1KB

    MD5

    73e051427246dd4ca45935b1a4bd7e2d

    SHA1

    7216f05041252f1c3a9d84aacdf84ef62f1a1045

    SHA256

    b7b8b412ab1e4f32da8a7cd42aeaa6e7d8d340cf14977d3e87f7d8f5eb689b0f

    SHA512

    3fc10dea91962244389214d189c141466f5630e99b01af5761738ce884df14050cd08a43802dc45bbe9117290c34143b85a75694b6301954b51972180dca1e36

  • C:\Users\Admin\Desktop\New folder\Loader.exe

    Filesize

    761.7MB

    MD5

    fffcd1704ec7243fc85ac25eeb6a18e4

    SHA1

    2e1052027e1ec83f230c031a1ff2ed75d8502e0f

    SHA256

    11cf8d7c2e5bd1e71690e3d9b59a9a7db1343d5c4173df652ec8ba882d82af76

    SHA512

    c129de27300811644d9819776f02199abf4c459741c1050b4464dddffab564a60d5b24585e33450a29ddb40b9d26da1532d504c9231975dd9d45c12c72314a0b

  • C:\Users\Admin\Desktop\New folder\README.txt

    Filesize

    220B

    MD5

    0899257a400d8dcb5b9df33ed7554875

    SHA1

    9117ce47fc86a867ef07d4ec18ea1ff8839df406

    SHA256

    316bb7c0c9ffe478267d5b60d1456e6677a6bf2fd60b38f20c6203a9b2c56e9e

    SHA512

    e6dfce9b4859eaf7fb36bc3b1ebf01d12c8ed90b1a53954bb593aef02db3a10fd7b6a282dd12f18053c0afe61c20c9b9b269d50ff05ae3a5ccb54aed1bd13eb2

  • \ProgramData\mozglue.dll

    Filesize

    593KB

    MD5

    c8fd9be83bc728cc04beffafc2907fe9

    SHA1

    95ab9f701e0024cedfbd312bcfe4e726744c4f2e

    SHA256

    ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

    SHA512

    fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

  • \ProgramData\nss3.dll

    Filesize

    2.0MB

    MD5

    1cc453cdf74f31e4d913ff9c10acdde2

    SHA1

    6e85eae544d6e965f15fa5c39700fa7202f3aafe

    SHA256

    ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

    SHA512

    dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

  • memory/572-78-0x0000000003760000-0x0000000003770000-memory.dmp

    Filesize

    64KB

  • memory/572-79-0x0000000003750000-0x0000000003751000-memory.dmp

    Filesize

    4KB

  • memory/1864-151-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

  • memory/1864-152-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

  • memory/1864-157-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

    Filesize

    4KB

  • memory/1864-159-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

  • memory/1864-160-0x0000000000400000-0x000000000046D000-memory.dmp

    Filesize

    436KB

  • memory/1864-212-0x0000000061E00000-0x0000000061EF3000-memory.dmp

    Filesize

    972KB