Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
154s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12/01/2024, 01:33 UTC
Static task
static1
Behavioral task
behavioral1
Sample
VDownloaderSetup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
VDownloaderSetup.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
新云软件.url
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
新云软件.url
Resource
win10v2004-20231215-en
General
-
Target
VDownloaderSetup.exe
-
Size
15.2MB
-
MD5
1a24f047cdfc86d48b521f2582106980
-
SHA1
b477d278279ccf7928b785213fd1a92064fce7a2
-
SHA256
7ec0e42285ca1761f1812e589bb988d0d8cae9044351c0bae75f4f08f127f462
-
SHA512
0ac3fad09a39961ac05a961b761753f2887dcad03a2a1f090c5ca08debcaf5ccc5f10503b1fb605a3bbfde9a42eb9b51cffa1fdac76269d7dda62fb745cbb007
-
SSDEEP
393216:8Vu+ssrcvFIKciM2U234u59Ls2I7BfjeiCDpauNB2ui4i5m83:nWrcxZM/A4ubL4jeiClPNi4i5m83
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation VDownloaderSetup.tmp -
Executes dropped EXE 1 IoCs
pid Process 3968 VDownloaderSetup.tmp -
Loads dropped DLL 3 IoCs
pid Process 3968 VDownloaderSetup.tmp 3968 VDownloaderSetup.tmp 1536 RunDll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe 1536 RunDll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1168 wrote to memory of 3968 1168 VDownloaderSetup.exe 90 PID 1168 wrote to memory of 3968 1168 VDownloaderSetup.exe 90 PID 1168 wrote to memory of 3968 1168 VDownloaderSetup.exe 90 PID 3968 wrote to memory of 1536 3968 VDownloaderSetup.tmp 96 PID 3968 wrote to memory of 1536 3968 VDownloaderSetup.tmp 96 PID 3968 wrote to memory of 1536 3968 VDownloaderSetup.tmp 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp" /SL5="$3022A,15417274,141824,C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\RunDll32.exeRunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\OCSetupHlp.dll",_OCPRD110RunOpenCandyDLL@16 39683⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
Network
-
Remote address:8.8.8.8:53Request23.181.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.181.190.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request9.228.82.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.205.248.87.in-addr.arpaIN PTRResponse0.205.248.87.in-addr.arpaIN PTRhttps-87-248-205-0lgwllnwnet
-
Remote address:8.8.8.8:53Request41.110.16.96.in-addr.arpaIN PTRResponse41.110.16.96.in-addr.arpaIN PTRa96-16-110-41deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request26.35.223.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request146.78.124.51.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request208.194.73.20.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestapi.opencandy.comIN AResponse
-
Remote address:8.8.8.8:53Request26.165.165.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.135.221.88.in-addr.arpaIN PTRResponse217.135.221.88.in-addr.arpaIN PTRa88-221-135-217deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request114.110.16.96.in-addr.arpaIN PTRResponse114.110.16.96.in-addr.arpaIN PTRa96-16-110-114deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request107.135.221.88.in-addr.arpaIN PTRResponse107.135.221.88.in-addr.arpaIN PTRa88-221-135-107deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request21.236.111.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requesttse1.mm.bing.netIN AResponsetse1.mm.bing.netIN CNAMEmm-mm.bing.net.trafficmanager.netmm-mm.bing.net.trafficmanager.netIN CNAMEdual-a-0001.a-msedge.netdual-a-0001.a-msedge.netIN A204.79.197.200dual-a-0001.a-msedge.netIN A13.107.21.200
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 370294
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C15123FA3EBF4A2DB2C78507DF97A93B Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
date: Fri, 12 Jan 2024 01:36:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 436914
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: D6FA3AEA19B2458C8F202C45C5914DC4 Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
date: Fri, 12 Jan 2024 01:36:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 506638
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: C773B3996AE8412F8CFC9632D0BE1313 Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
date: Fri, 12 Jan 2024 01:36:16 GMT
-
GEThttps://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4Remote address:204.79.197.200:443RequestGET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
host: tse1.mm.bing.net
accept: */*
accept-encoding: gzip, deflate, br
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
ResponseHTTP/2.0 200
content-length: 490296
content-type: image/jpeg
x-cache: TCP_HIT
access-control-allow-origin: *
access-control-allow-headers: *
access-control-allow-methods: GET, POST, OPTIONS
timing-allow-origin: *
report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
x-msedge-ref: Ref A: 2B09B53120234FBF8FE877A33A281F0B Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
date: Fri, 12 Jan 2024 01:36:16 GMT
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTRResponse200.197.79.204.in-addr.arpaIN PTRa-0001a-msedgenet
-
Remote address:8.8.8.8:53Request200.197.79.204.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request194.98.74.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request194.98.74.40.in-addr.arpaIN PTRResponse
-
204.79.197.200:443https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4tls, http264.5kB 1.9MB 1361 1357
HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4HTTP Request
GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4HTTP Response
200HTTP Response
200HTTP Response
200HTTP Response
200 -
1.2kB 8.3kB 16 14
-
1.2kB 8.2kB 16 13
-
1.2kB 8.3kB 16 14
-
144 B 158 B 2 1
DNS Request
23.181.190.20.in-addr.arpa
DNS Request
23.181.190.20.in-addr.arpa
-
146 B 144 B 2 1
DNS Request
95.221.229.192.in-addr.arpa
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 156 B 1 1
DNS Request
9.228.82.20.in-addr.arpa
-
71 B 116 B 1 1
DNS Request
0.205.248.87.in-addr.arpa
-
71 B 135 B 1 1
DNS Request
41.110.16.96.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
26.35.223.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
146.78.124.51.in-addr.arpa
-
144 B 158 B 2 1
DNS Request
208.194.73.20.in-addr.arpa
DNS Request
208.194.73.20.in-addr.arpa
-
63 B 122 B 1 1
DNS Request
api.opencandy.com
-
72 B 146 B 1 1
DNS Request
26.165.165.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
217.135.221.88.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
114.110.16.96.in-addr.arpa
-
73 B 139 B 1 1
DNS Request
107.135.221.88.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
21.236.111.52.in-addr.arpa
-
62 B 173 B 1 1
DNS Request
tse1.mm.bing.net
DNS Response
204.79.197.20013.107.21.200
-
146 B 106 B 2 1
DNS Request
200.197.79.204.in-addr.arpa
DNS Request
200.197.79.204.in-addr.arpa
-
142 B 290 B 2 2
DNS Request
194.98.74.40.in-addr.arpa
DNS Request
194.98.74.40.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5713bfb93270414f034fa70496d5cfffc
SHA1f6b5e6a6d7ec32a1d32bbab37986da0cf1bc94c6
SHA2568f7c04c54c61b7f11d3c6016254abaab89997cb0d5198e8c7ef0df2edbca16d7
SHA512e9cfbc676e02854821cbd585d3de2b3f5cadf2c11fe306244cbba7ae066574dbfc7971f0e6a1d38a6e47af75762f608a8f14082d0e2f8d7c224c591caed00472
-
Filesize
750KB
MD5c6cef91b4abcebc8e86acb0dab99a496
SHA1d74806351749e22a8a4c11c327d53b802561ef12
SHA256c176f3957092d03b9f53e020e0711b534bef3a8e528d2dc58475a19a4eef0723
SHA512f20b7608cdfa893f3384bbcdc41d4eac79c028c4bd0f4881b0006c0323d7f806c9bea2db19adf7245abd4b06b25bde1aca8c4ee68053cd997684f75c220586e5
-
Filesize
121KB
MD548ad1a1c893ce7bf456277a0a085ed01
SHA1803997ef17eedf50969115c529a2bf8de585dc91
SHA256b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3
SHA5127c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4