Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    140s
  • max time network
    145s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240214-en
  • resource tags

    arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/02/2024, 16:09

General

  • Target

    Unlock_App_6.6.rar

  • Size

    44.6MB

  • MD5

    6c9eb6d5677d6395ad819159d8627bf0

  • SHA1

    7700f530bf2e1a6e04c0c4d03f95d95a303c5220

  • SHA256

    20c4230bc5ec9ca11fee5126fafd6ce4a4ec99a7c1c9f9f428d06dc409c19bb0

  • SHA512

    3a0c2cb9ea80a2a242fe7b330d853a28473369a9c3da029aee189837e92b0a6c32c0b0fd0ff00ba570fb523c29086c54197e51beb2babdb4351e8f1407abd2b2

  • SSDEEP

    786432:T6LrH42lZh/+/oHsEo88aHpUN0zGPUEu396rmeDrtlwnQ/z:T6LrY2lZh2wzo8BTGPUV966ekns

Malware Config

Extracted

Family

vidar

Version

7.9

Botnet

6c468b67f5f4b14cdea5182be9e4f737

C2

https://t.me/hypergog

https://steamcommunity.com/profiles/76561199642171824

Attributes
  • profile_id_v2

    6c468b67f5f4b14cdea5182be9e4f737

  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36

Signatures

  • Detect Vidar Stealer 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Unlock_App_6.6.rar
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2664
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_App_6.6.rar"
      2⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:1372
  • C:\Users\Admin\Desktop\Unlock_App_6.6.exe
    "C:\Users\Admin\Desktop\Unlock_App_6.6.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4872
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
        PID:4800
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 2300
          3⤵
          • Program crash
          PID:4260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
      1⤵
        PID:872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

        Filesize

        14KB

        MD5

        23c7c75da086ea011027632823cd65eb

        SHA1

        b258ec850fc3536a488c444f69a6a204ed6c2d6c

        SHA256

        d750db9c929b2141bc54772eb6909dce62efdd966bf4596b7b189f3038003a38

        SHA512

        fad8dad5971079f9b607c38b5251212e5fb3226cb79d342d690e982828b34d5b9f0fe18feef2a685780fdbf782aa7d5b1ebb53a2eac6f658ae1ed7142b6d99ae

      • C:\Users\Admin\Desktop\Unlock_App_6.6.exe

        Filesize

        231KB

        MD5

        081f22bd3169922b9c6738ada0af7dda

        SHA1

        4d5d012a15b4e1f4593fed7ad4ca14f1c2edc678

        SHA256

        81ccd39c7f2e23b28f3b7e8dd8ddbfc1d38dd3f4664edb6ab1ee5a96b037c3e7

        SHA512

        f26d5e55353de271967df834050818d4301dcbb523ddd24583c9d8f963721c47e250b3799bfa832ffdb0869973e56720b17a8f2059c7d7208fe51cf0c2e3fe9b

      • memory/4800-16-0x0000000000400000-0x0000000000649000-memory.dmp

        Filesize

        2.3MB

      • memory/4800-20-0x0000000000400000-0x0000000000649000-memory.dmp

        Filesize

        2.3MB

      • memory/4800-24-0x0000000000400000-0x0000000000649000-memory.dmp

        Filesize

        2.3MB

      • memory/4872-13-0x0000000074AA0000-0x0000000075251000-memory.dmp

        Filesize

        7.7MB

      • memory/4872-12-0x00000000002E0000-0x0000000000320000-memory.dmp

        Filesize

        256KB

      • memory/4872-22-0x00000000028D0000-0x00000000048D0000-memory.dmp

        Filesize

        32.0MB

      • memory/4872-21-0x0000000074AA0000-0x0000000075251000-memory.dmp

        Filesize

        7.7MB

      • memory/4872-36-0x00000000028D0000-0x00000000048D0000-memory.dmp

        Filesize

        32.0MB