Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    154s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/01/2024, 01:33 UTC

General

  • Target

    VDownloaderSetup.exe

  • Size

    15.2MB

  • MD5

    1a24f047cdfc86d48b521f2582106980

  • SHA1

    b477d278279ccf7928b785213fd1a92064fce7a2

  • SHA256

    7ec0e42285ca1761f1812e589bb988d0d8cae9044351c0bae75f4f08f127f462

  • SHA512

    0ac3fad09a39961ac05a961b761753f2887dcad03a2a1f090c5ca08debcaf5ccc5f10503b1fb605a3bbfde9a42eb9b51cffa1fdac76269d7dda62fb745cbb007

  • SSDEEP

    393216:8Vu+ssrcvFIKciM2U234u59Ls2I7BfjeiCDpauNB2ui4i5m83:nWrcxZM/A4ubL4jeiClPNi4i5m83

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp" /SL5="$3022A,15417274,141824,C:\Users\Admin\AppData\Local\Temp\VDownloaderSetup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3968
      • C:\Windows\SysWOW64\RunDll32.exe
        RunDll32.exe "C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\OCSetupHlp.dll",_OCPRD110RunOpenCandyDLL@16 3968
        3⤵
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:1536

Network

  • flag-us
    DNS
    23.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.181.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    23.181.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    23.181.190.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    9.228.82.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    9.228.82.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    0.205.248.87.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    0.205.248.87.in-addr.arpa
    IN PTR
    Response
    0.205.248.87.in-addr.arpa
    IN PTR
    https-87-248-205-0lgwllnwnet
  • flag-us
    DNS
    41.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    41.110.16.96.in-addr.arpa
    IN PTR
    Response
    41.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-41deploystaticakamaitechnologiescom
  • flag-us
    DNS
    26.35.223.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.35.223.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    146.78.124.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    146.78.124.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    208.194.73.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    208.194.73.20.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    api.opencandy.com
    RunDll32.exe
    Remote address:
    8.8.8.8:53
    Request
    api.opencandy.com
    IN A
    Response
  • flag-us
    DNS
    26.165.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    26.165.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    171.39.242.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    171.39.242.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.135.221.88.in-addr.arpa
    IN PTR
    Response
    217.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-217deploystaticakamaitechnologiescom
  • flag-us
    DNS
    114.110.16.96.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    114.110.16.96.in-addr.arpa
    IN PTR
    Response
    114.110.16.96.in-addr.arpa
    IN PTR
    a96-16-110-114deploystaticakamaitechnologiescom
  • flag-us
    DNS
    107.135.221.88.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    107.135.221.88.in-addr.arpa
    IN PTR
    Response
    107.135.221.88.in-addr.arpa
    IN PTR
    a88-221-135-107deploystaticakamaitechnologiescom
  • flag-us
    DNS
    21.236.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.236.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    tse1.mm.bing.net
    Remote address:
    8.8.8.8:53
    Request
    tse1.mm.bing.net
    IN A
    Response
    tse1.mm.bing.net
    IN CNAME
    mm-mm.bing.net.trafficmanager.net
    mm-mm.bing.net.trafficmanager.net
    IN CNAME
    dual-a-0001.a-msedge.net
    dual-a-0001.a-msedge.net
    IN A
    204.79.197.200
    dual-a-0001.a-msedge.net
    IN A
    13.107.21.200
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 370294
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C15123FA3EBF4A2DB2C78507DF97A93B Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
    date: Fri, 12 Jan 2024 01:36:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 436914
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: D6FA3AEA19B2458C8F202C45C5914DC4 Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
    date: Fri, 12 Jan 2024 01:36:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 506638
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: C773B3996AE8412F8CFC9632D0BE1313 Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
    date: Fri, 12 Jan 2024 01:36:16 GMT
  • flag-us
    GET
    https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4
    Remote address:
    204.79.197.200:443
    Request
    GET /th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4 HTTP/2.0
    host: tse1.mm.bing.net
    accept: */*
    accept-encoding: gzip, deflate, br
    user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19041
    Response
    HTTP/2.0 200
    cache-control: public, max-age=2592000
    content-length: 490296
    content-type: image/jpeg
    x-cache: TCP_HIT
    access-control-allow-origin: *
    access-control-allow-headers: *
    access-control-allow-methods: GET, POST, OPTIONS
    timing-allow-origin: *
    report-to: {"group":"network-errors","max_age":604800,"endpoints":[{"url":"https://aefd.nelreports.net/api/report?cat=bingth"}]}
    nel: {"report_to":"network-errors","max_age":604800,"success_fraction":0.001,"failure_fraction":1.0}
    accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
    x-msedge-ref: Ref A: 2B09B53120234FBF8FE877A33A281F0B Ref B: LON04EDGE0709 Ref C: 2024-01-12T01:36:16Z
    date: Fri, 12 Jan 2024 01:36:16 GMT
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    194.98.74.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.98.74.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    194.98.74.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    194.98.74.40.in-addr.arpa
    IN PTR
    Response
  • 204.79.197.200:443
    https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4
    tls, http2
    64.5kB
    1.9MB
    1361
    1357

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418568_12QU0TF0Q0S6KJNUT&pid=21.2&w=1080&h=1920&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418544_1U65HGUXV07UFEU5B&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418567_1CP2YH6ACBDMHMMFR&pid=21.2&w=1920&h=1080&c=4

    HTTP Request

    GET https://tse1.mm.bing.net/th?id=OADD2.10239340418543_1PQIQEA9PYCCTOZ9T&pid=21.2&w=1080&h=1920&c=4

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200

    HTTP Response

    200
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.2kB
    16
    13
  • 204.79.197.200:443
    tse1.mm.bing.net
    tls, http2
    1.2kB
    8.3kB
    16
    14
  • 8.8.8.8:53
    23.181.190.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    23.181.190.20.in-addr.arpa

    DNS Request

    23.181.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    146 B
    144 B
    2
    1

    DNS Request

    95.221.229.192.in-addr.arpa

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    9.228.82.20.in-addr.arpa
    dns
    70 B
    156 B
    1
    1

    DNS Request

    9.228.82.20.in-addr.arpa

  • 8.8.8.8:53
    0.205.248.87.in-addr.arpa
    dns
    71 B
    116 B
    1
    1

    DNS Request

    0.205.248.87.in-addr.arpa

  • 8.8.8.8:53
    41.110.16.96.in-addr.arpa
    dns
    71 B
    135 B
    1
    1

    DNS Request

    41.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    26.35.223.20.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    26.35.223.20.in-addr.arpa

  • 8.8.8.8:53
    146.78.124.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    146.78.124.51.in-addr.arpa

  • 8.8.8.8:53
    208.194.73.20.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    208.194.73.20.in-addr.arpa

    DNS Request

    208.194.73.20.in-addr.arpa

  • 8.8.8.8:53
    api.opencandy.com
    dns
    RunDll32.exe
    63 B
    122 B
    1
    1

    DNS Request

    api.opencandy.com

  • 8.8.8.8:53
    26.165.165.52.in-addr.arpa
    dns
    72 B
    146 B
    1
    1

    DNS Request

    26.165.165.52.in-addr.arpa

  • 8.8.8.8:53
    171.39.242.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    171.39.242.20.in-addr.arpa

  • 8.8.8.8:53
    217.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    217.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    114.110.16.96.in-addr.arpa
    dns
    72 B
    137 B
    1
    1

    DNS Request

    114.110.16.96.in-addr.arpa

  • 8.8.8.8:53
    107.135.221.88.in-addr.arpa
    dns
    73 B
    139 B
    1
    1

    DNS Request

    107.135.221.88.in-addr.arpa

  • 8.8.8.8:53
    21.236.111.52.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    21.236.111.52.in-addr.arpa

  • 8.8.8.8:53
    tse1.mm.bing.net
    dns
    62 B
    173 B
    1
    1

    DNS Request

    tse1.mm.bing.net

    DNS Response

    204.79.197.200
    13.107.21.200

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    146 B
    106 B
    2
    1

    DNS Request

    200.197.79.204.in-addr.arpa

    DNS Request

    200.197.79.204.in-addr.arpa

  • 8.8.8.8:53
    194.98.74.40.in-addr.arpa
    dns
    142 B
    290 B
    2
    2

    DNS Request

    194.98.74.40.in-addr.arpa

    DNS Request

    194.98.74.40.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-DE01R.tmp\VDownloaderSetup.tmp

    Filesize

    1.1MB

    MD5

    713bfb93270414f034fa70496d5cfffc

    SHA1

    f6b5e6a6d7ec32a1d32bbab37986da0cf1bc94c6

    SHA256

    8f7c04c54c61b7f11d3c6016254abaab89997cb0d5198e8c7ef0df2edbca16d7

    SHA512

    e9cfbc676e02854821cbd585d3de2b3f5cadf2c11fe306244cbba7ae066574dbfc7971f0e6a1d38a6e47af75762f608a8f14082d0e2f8d7c224c591caed00472

  • C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\OCSetupHlp.dll

    Filesize

    750KB

    MD5

    c6cef91b4abcebc8e86acb0dab99a496

    SHA1

    d74806351749e22a8a4c11c327d53b802561ef12

    SHA256

    c176f3957092d03b9f53e020e0711b534bef3a8e528d2dc58475a19a4eef0723

    SHA512

    f20b7608cdfa893f3384bbcdc41d4eac79c028c4bd0f4881b0006c0323d7f806c9bea2db19adf7245abd4b06b25bde1aca8c4ee68053cd997684f75c220586e5

  • C:\Users\Admin\AppData\Local\Temp\is-HI7VB.tmp\isxdl.dll

    Filesize

    121KB

    MD5

    48ad1a1c893ce7bf456277a0a085ed01

    SHA1

    803997ef17eedf50969115c529a2bf8de585dc91

    SHA256

    b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

    SHA512

    7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

  • memory/1168-1-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1168-18-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1536-28-0x00000000015C0000-0x00000000015C1000-memory.dmp

    Filesize

    4KB

  • memory/3968-7-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

  • memory/3968-24-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

  • memory/3968-30-0x0000000000400000-0x000000000053B000-memory.dmp

    Filesize

    1.2MB

  • memory/3968-31-0x0000000000810000-0x0000000000811000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.