Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    507s
  • max time network
    510s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2023, 15:00

General

  • Target

    Loader.rar

  • Size

    1.9MB

  • MD5

    62a2e8de31c7835c4273eb2c60fe4924

  • SHA1

    22e2f5a99974f9e5b1566245f5f712d2bcef396e

  • SHA256

    52f72f2ef4dd5e569025da115c891438565efa9aaa400f31e3a61313a9ce4243

  • SHA512

    52b84f8c0fdf9d31bb0b371333ff8b4a67faf76e8e42a57c512b6a8951260ab076374ffea7922b92fac0d2bd4bae95ffd1151a0ee1e7310c95ddf086ed31416c

  • SSDEEP

    49152:7D/0DZee/Yor/5YJ2g4NzW1KPD+S0foazh/LfGGVrkNwJJy:7D0H/YoL5YJ2g4NzWMSSaxGGVgNwJJy

Malware Config

Extracted

Family

vidar

Version

4

Botnet

24108ab9b5f23bbf924b5eff629e21b6

C2

https://steamcommunity.com/profiles/76561199508624021

https://t.me/looking_glassbot

Attributes
  • profile_id_v2

    24108ab9b5f23bbf924b5eff629e21b6

  • user_agent

    Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses 2FA software files, possible credential harvesting 2 TTPs
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 32 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Loader.rar
    1⤵
    • Modifies registry class
    PID:2436
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Loader.rar"
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4444
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4112
    • C:\Users\Admin\Desktop\New folder\Loader.exe
      "C:\Users\Admin\Desktop\New folder\Loader.exe"
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1728
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
        2⤵
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\ProgramData\67729879851904611441.exe
          "C:\ProgramData\67729879851904611441.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1916
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\67729879851904611441.exe
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:2892
            • C:\Windows\system32\choice.exe
              choice /C Y /N /D Y /T 0
              5⤵
                PID:4588

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\67729879851904611441.exe

        Filesize

        4.3MB

        MD5

        b7017fd037df00947c023a81758fd409

        SHA1

        f9ee70122cd9240b98ea43456715a222742bd538

        SHA256

        2366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138

        SHA512

        cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2

      • C:\ProgramData\67729879851904611441.exe

        Filesize

        4.3MB

        MD5

        b7017fd037df00947c023a81758fd409

        SHA1

        f9ee70122cd9240b98ea43456715a222742bd538

        SHA256

        2366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138

        SHA512

        cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2

      • C:\ProgramData\67729879851904611441.exe

        Filesize

        4.3MB

        MD5

        b7017fd037df00947c023a81758fd409

        SHA1

        f9ee70122cd9240b98ea43456715a222742bd538

        SHA256

        2366aab6e5f60ee5f87247c1bfe5515507cb66415df3e91b6c0649d9db075138

        SHA512

        cc6c239ca13addb5399fd859d010384017bbc28cb8806d9400f31eda7aa280c65a241f8df2188fceca8d7972247c1051b08e0b0f121709700cd4339ac3be9da2

      • C:\ProgramData\mozglue.dll

        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

      • C:\ProgramData\nss3.dll

        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

        Filesize

        28KB

        MD5

        da47faa07294d1802b68fc055d6bd3a8

        SHA1

        80646e5c80a233d19c2203e499d4a58ac5508e98

        SHA256

        adc502e8f258d7f78057b1905ba21a1f496f0d677f54ee92ae538b2f2f9a27f3

        SHA512

        05d20a394d6b01d5d26cc8193253469503e53a058717399266fcc72a6dd57f2bbd7fd7aea3fc4517a8370f47cf81ba434b1f7816743deb9ef532e7c337861347

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

        Filesize

        28KB

        MD5

        da47faa07294d1802b68fc055d6bd3a8

        SHA1

        80646e5c80a233d19c2203e499d4a58ac5508e98

        SHA256

        adc502e8f258d7f78057b1905ba21a1f496f0d677f54ee92ae538b2f2f9a27f3

        SHA512

        05d20a394d6b01d5d26cc8193253469503e53a058717399266fcc72a6dd57f2bbd7fd7aea3fc4517a8370f47cf81ba434b1f7816743deb9ef532e7c337861347

      • C:\Users\Admin\Desktop\New folder\Loader.exe

        Filesize

        761.7MB

        MD5

        fffcd1704ec7243fc85ac25eeb6a18e4

        SHA1

        2e1052027e1ec83f230c031a1ff2ed75d8502e0f

        SHA256

        11cf8d7c2e5bd1e71690e3d9b59a9a7db1343d5c4173df652ec8ba882d82af76

        SHA512

        c129de27300811644d9819776f02199abf4c459741c1050b4464dddffab564a60d5b24585e33450a29ddb40b9d26da1532d504c9231975dd9d45c12c72314a0b

      • C:\Users\Admin\Desktop\New folder\Loader.exe

        Filesize

        761.7MB

        MD5

        fffcd1704ec7243fc85ac25eeb6a18e4

        SHA1

        2e1052027e1ec83f230c031a1ff2ed75d8502e0f

        SHA256

        11cf8d7c2e5bd1e71690e3d9b59a9a7db1343d5c4173df652ec8ba882d82af76

        SHA512

        c129de27300811644d9819776f02199abf4c459741c1050b4464dddffab564a60d5b24585e33450a29ddb40b9d26da1532d504c9231975dd9d45c12c72314a0b

      • C:\Users\Admin\Desktop\New folder\README.txt

        Filesize

        220B

        MD5

        0899257a400d8dcb5b9df33ed7554875

        SHA1

        9117ce47fc86a867ef07d4ec18ea1ff8839df406

        SHA256

        316bb7c0c9ffe478267d5b60d1456e6677a6bf2fd60b38f20c6203a9b2c56e9e

        SHA512

        e6dfce9b4859eaf7fb36bc3b1ebf01d12c8ed90b1a53954bb593aef02db3a10fd7b6a282dd12f18053c0afe61c20c9b9b269d50ff05ae3a5ccb54aed1bd13eb2

      • memory/1116-194-0x0000000061E00000-0x0000000061EF3000-memory.dmp

        Filesize

        972KB

      • memory/1116-184-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1116-265-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1116-178-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1116-278-0x0000000000400000-0x000000000046D000-memory.dmp

        Filesize

        436KB

      • memory/1916-280-0x0000000000B90000-0x00000000019ED000-memory.dmp

        Filesize

        14.4MB

      • memory/1916-281-0x0000000000B90000-0x00000000019ED000-memory.dmp

        Filesize

        14.4MB