Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows11-21h2_x64 -
resource
win11-20240214-en -
resource tags
arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system -
submitted
20/02/2024, 16:09
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_App_6.6.rar
Resource
win11-20240214-en
General
-
Target
Unlock_App_6.6.rar
-
Size
44.6MB
-
MD5
6c9eb6d5677d6395ad819159d8627bf0
-
SHA1
7700f530bf2e1a6e04c0c4d03f95d95a303c5220
-
SHA256
20c4230bc5ec9ca11fee5126fafd6ce4a4ec99a7c1c9f9f428d06dc409c19bb0
-
SHA512
3a0c2cb9ea80a2a242fe7b330d853a28473369a9c3da029aee189837e92b0a6c32c0b0fd0ff00ba570fb523c29086c54197e51beb2babdb4351e8f1407abd2b2
-
SSDEEP
786432:T6LrH42lZh/+/oHsEo88aHpUN0zGPUEu396rmeDrtlwnQ/z:T6LrY2lZh2wzo8BTGPUV966ekns
Malware Config
Extracted
vidar
7.9
6c468b67f5f4b14cdea5182be9e4f737
https://t.me/hypergog
https://steamcommunity.com/profiles/76561199642171824
-
profile_id_v2
6c468b67f5f4b14cdea5182be9e4f737
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/memory/4800-16-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/4800-20-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 behavioral1/memory/4800-24-0x0000000000400000-0x0000000000649000-memory.dmp family_vidar_v7 -
Executes dropped EXE 1 IoCs
pid Process 4872 Unlock_App_6.6.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4872 set thread context of 4800 4872 Unlock_App_6.6.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4260 4800 WerFault.exe 88 -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-1473553098-1580226532-3330220195-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1372 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1372 7zFM.exe Token: 35 1372 7zFM.exe Token: SeSecurityPrivilege 1372 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1372 7zFM.exe 1372 7zFM.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2664 wrote to memory of 1372 2664 cmd.exe 80 PID 2664 wrote to memory of 1372 2664 cmd.exe 80 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88 PID 4872 wrote to memory of 4800 4872 Unlock_App_6.6.exe 88
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Unlock_App_6.6.rar1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_App_6.6.rar"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1372
-
-
C:\Users\Admin\Desktop\Unlock_App_6.6.exe"C:\Users\Admin\Desktop\Unlock_App_6.6.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:4800
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 23003⤵
- Program crash
PID:4260
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 48001⤵PID:872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD523c7c75da086ea011027632823cd65eb
SHA1b258ec850fc3536a488c444f69a6a204ed6c2d6c
SHA256d750db9c929b2141bc54772eb6909dce62efdd966bf4596b7b189f3038003a38
SHA512fad8dad5971079f9b607c38b5251212e5fb3226cb79d342d690e982828b34d5b9f0fe18feef2a685780fdbf782aa7d5b1ebb53a2eac6f658ae1ed7142b6d99ae
-
Filesize
231KB
MD5081f22bd3169922b9c6738ada0af7dda
SHA14d5d012a15b4e1f4593fed7ad4ca14f1c2edc678
SHA25681ccd39c7f2e23b28f3b7e8dd8ddbfc1d38dd3f4664edb6ab1ee5a96b037c3e7
SHA512f26d5e55353de271967df834050818d4301dcbb523ddd24583c9d8f963721c47e250b3799bfa832ffdb0869973e56720b17a8f2059c7d7208fe51cf0c2e3fe9b