Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bcd82f6def...35.exe

windows7-x64

10

bcd82f6def...35.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/03/2024, 21:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bcd82f6defede426e64ca33056f80635.exe

  • Size

    1.9MB

  • MD5

    bcd82f6defede426e64ca33056f80635

  • SHA1

    21016511704cf6454e56aa36de55c8f630658168

  • SHA256

    4c979260a100193bf14d3eb349affcaf52cf60b7208575ea04cc024c10a168dd

  • SHA512

    86e5bc91308d726ac0c2075674e4550eb4b98cbcd2db5d38294707adb8a33d201c6615a36663e0531ee9573333301bb50077cea11738c1e5a98d885a84271fb1

  • SSDEEP

    49152:xcBWEwJ84vLRaBtIl9mVJlZkqFBgKWTO762mRDO4tz:xkCvLUBsgNkC/WTl2mRDOcz

Score
10/10
nullmixerprivateloadersmokeloadervidar706pub5aspackv2backdoordropperloaderstealertrojan

Malware Config

Extracted

Family

nullmixer

C2

http://watira.xyz/

Extracted

Family

smokeloader

Botnet

pub5

Extracted

Family

vidar

Version

40

Botnet

706

C2

https://lenak513.tumblr.com/

Attributes
  • profile_id

    706

Extracted

Family

smokeloader

Version

2020

C2

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/
rc4.i32
rc4.i32

Signatures

  • NullMixer

    NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.

    droppernullmixer
  • PrivateLoader

    PrivateLoader is a downloader sold as a pay-per-install malware distribution service.

    loaderprivateloader
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 3 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 7 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 20 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 45 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\bcd82f6defede426e64ca33056f80635.exe
    "C:\Users\Admin\AppData\Local\Temp\bcd82f6defede426e64ca33056f80635.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\setup_install.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\setup_install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1524
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c d38e3c323fbd6c1.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:648
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\d38e3c323fbd6c1.exe
          d38e3c323fbd6c1.exe
          4⤵
          • Executes dropped EXE
          PID:4924
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 446e50fbdfb2.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4652
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\446e50fbdfb2.exe
          446e50fbdfb2.exe
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4052
          • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\446e50fbdfb2.exe
            "C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\446e50fbdfb2.exe" -a
            5⤵
            • Executes dropped EXE
            PID:1632
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 7f67b7bd4.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3308
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\7f67b7bd4.exe
          7f67b7bd4.exe
          4⤵
          • Executes dropped EXE
          PID:684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c c94ffb5d331eb3.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4852
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\c94ffb5d331eb3.exe
          c94ffb5d331eb3.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3336
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c db071188abeb475.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4400
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\db071188abeb475.exe
          db071188abeb475.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1820
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 3d8ebf6fc1e71737.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4600
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\3d8ebf6fc1e71737.exe
          3d8ebf6fc1e71737.exe
          4⤵
          • Executes dropped EXE
          PID:4480
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 824
            5⤵
            • Program crash
            PID:3236
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 832
            5⤵
            • Program crash
            PID:2508
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 888
            5⤵
            • Program crash
            PID:2268
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4480 -s 884
            5⤵
            • Program crash
            PID:4508
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c 02e5560d6466.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1188
        • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\02e5560d6466.exe
          02e5560d6466.exe
          4⤵
          • Executes dropped EXE
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          PID:1372
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 552
        3⤵
        • Program crash
        PID:2768
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1524 -ip 1524
    1⤵
      PID:2392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4480 -ip 4480
      1⤵
        PID:2328
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4480 -ip 4480
        1⤵
          PID:4700
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4480 -ip 4480
          1⤵
            PID:1500
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4480 -ip 4480
            1⤵
              PID:556
            • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
              "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
              1⤵
              • Modifies data under HKEY_USERS
              • Suspicious use of SetWindowsHookEx
              PID:3996

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\02e5560d6466.exe
              Filesize

              177KB

              MD5

              90943d82566e56216ca9a90d907a834d

              SHA1

              97795463ddff0d5e40e21903fbf8368c203d7efd

              SHA256

              1c79d0f64c5a1a2ad6dba77b6a735e7e9be229533b347f20b7448b28a309ada7

              SHA512

              a74cad08f2a8716350875eb0603cd4b3d37eda2d13727c6e21972c1d2e698a2a0ec25fb46d5e0a05b1b0d6d69d51a6eb1da605612521ee45007ee67f3d983224

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\3d8ebf6fc1e71737.exe
              Filesize

              543KB

              MD5

              0afad9ff556dea967ba3972823dc5053

              SHA1

              ad5aa87d13102a4ce76d30f52f6414593107d420

              SHA256

              ff630dc798021ce5f290190815154404b1751bb6daf738adc2f5a7584c007850

              SHA512

              e5cd97c14024c53ff0d6f3a97b7764ee7a47caa8f872520957979bbfbeb795f759fef29f02d2ead5b9217275bd0336013a9b39b2303b89253ff2db6ea12d9f41

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\446e50fbdfb2.exe
              Filesize

              56KB

              MD5

              c0d18a829910babf695b4fdaea21a047

              SHA1

              236a19746fe1a1063ebe077c8a0553566f92ef0f

              SHA256

              78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

              SHA512

              cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\7f67b7bd4.exe
              Filesize

              241KB

              MD5

              5866ab1fae31526ed81bfbdf95220190

              SHA1

              75a5e08b3b9ad2dff35dfbbb3ffe8d983c2be25f

              SHA256

              9e1a149370efe9814bf2cbd87acfcfa410d1769efd86a9722da4373d6716d22e

              SHA512

              8d99ab09e84e4ef309da34be94946cbfcffeb1c0ca49e2452deb738d801e551062ebb134f1b99a9baf03003a8e720d525521ce09aeac341d3cba3fcfbc618fb5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\c94ffb5d331eb3.exe
              Filesize

              8KB

              MD5

              bf78562d81291113d7664f8b10b38019

              SHA1

              7c1e6b7a9abcf1f96eb79ffdc7ea1831ad7f7889

              SHA256

              aa18f5ee23ba9686522956203b349217aebdc2c921471db1a89d4bc16d699251

              SHA512

              c94ac906daf9ca91983c58d353984b1b84334d7fa57581b32fd029b0db582ca00ef67f5ef0a1fc0fd624aa30d220503e5f1b70617a303712b2f5886ab5672f36

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\d38e3c323fbd6c1.exe
              Filesize

              630KB

              MD5

              c465c7eb89a23837379e37046ec398e6

              SHA1

              00f6f8b48667dfe44d354953158c6915efd6d260

              SHA256

              430ed661f3be61265c7b657a641032b28c5a38495e6b37149b93428b9efa48a9

              SHA512

              9281e662c5612c104804c12ff79b0d953eb60d2d52103656bb9f9d0d523d12280a624f8199bae414c40481839e663dd399f5fbeed1489f70a81657324b536b97

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\db071188abeb475.exe
              Filesize

              165KB

              MD5

              5f6f8e5a5e6ba53f8f785b575573451d

              SHA1

              97b99adefc3ecca6be60c882b563853091f586ef

              SHA256

              6f8a7657b62f79b148d6b930641ef70eb0d8bc909377439819a0db601ca1c0d8

              SHA512

              ff6491641fc985bd03421e8565b36322017da9a647015bcc399b3ca73c675749d3e22eee5e437283b22b6a05240f6bd1bf8eddc0ef3be233fd8c40fe82fead05

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\libcurl.dll
              Filesize

              218KB

              MD5

              d09be1f47fd6b827c81a4812b4f7296f

              SHA1

              028ae3596c0790e6d7f9f2f3c8e9591527d267f7

              SHA256

              0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

              SHA512

              857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\libcurlpp.dll
              Filesize

              54KB

              MD5

              e6e578373c2e416289a8da55f1dc5e8e

              SHA1

              b601a229b66ec3d19c2369b36216c6f6eb1c063e

              SHA256

              43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

              SHA512

              9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\libgcc_s_dw2-1.dll
              Filesize

              113KB

              MD5

              9aec524b616618b0d3d00b27b6f51da1

              SHA1

              64264300801a353db324d11738ffed876550e1d3

              SHA256

              59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

              SHA512

              0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\libstdc++-6.dll
              Filesize

              647KB

              MD5

              5e279950775baae5fea04d2cc4526bcc

              SHA1

              8aef1e10031c3629512c43dd8b0b5d9060878453

              SHA256

              97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

              SHA512

              666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\libwinpthread-1.dll
              Filesize

              69KB

              MD5

              1e0d62c34ff2e649ebc5c372065732ee

              SHA1

              fcfaa36ba456159b26140a43e80fbd7e9d9af2de

              SHA256

              509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

              SHA512

              3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\setup_install.exe
              Filesize

              2.8MB

              MD5

              89234c696d12764a50771526b8d7acd5

              SHA1

              fd8021e261e6f2660f53ba38adf2dd4368a5a28b

              SHA256

              63e3049fb3405a1924978395b754cf443441f1f25353df85ed464a7dcde73849

              SHA512

              b9ebbf00d2b4b679f6e75933817936f74bd899482387ecab14e7c8733a1cf0b84e2e1a1ce612f959d22a14d0186536621e90e39800fb54d0d74b68654a2ab60d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\7zSCF2EB5C7\setup_install.exe
              Filesize

              3.9MB

              MD5

              0a57091fca0deee47351b3e383e920e8

              SHA1

              e02960e79d54a38e8eb1efea47b4255593ee298d

              SHA256

              fd370453eab0054e146d14958a149d22b0376c3ddd3096f75d6cf98144d435b1

              SHA512

              fdf3bd4caf958b2f75fa352901b155ce6dabbfeb48bb47aae591a5e2a577a053f54042b5b541d1b60eb8f57e0186754685a8707481d60758db58a6c53ba3ca56

              Download Submit

            • memory/1372-92-0x0000000000400000-0x0000000002C62000-memory.dmp

              Filesize

              40.4MB

              Download

            • memory/1372-87-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/1372-105-0x0000000000400000-0x0000000002C62000-memory.dmp

              Filesize

              40.4MB

              Download

            • memory/1372-90-0x0000000004870000-0x0000000004879000-memory.dmp

              Filesize

              36KB

              Download

            • memory/1524-95-0x0000000000400000-0x00000000006E2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/1524-96-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1524-38-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/1524-40-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/1524-39-0x0000000064940000-0x0000000064959000-memory.dmp

              Filesize

              100KB

              Download

            • memory/1524-37-0x00000000010D0000-0x000000000115F000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1524-35-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1524-41-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/1524-101-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/1524-100-0x000000006EB40000-0x000000006EB63000-memory.dmp

              Filesize

              140KB

              Download

            • memory/1524-99-0x0000000064940000-0x0000000064959000-memory.dmp

              Filesize

              100KB

              Download

            • memory/1524-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1524-28-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1524-32-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1524-36-0x000000006FE40000-0x000000006FFC6000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/1524-42-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1524-33-0x000000006B440000-0x000000006B4CF000-memory.dmp

              Filesize

              572KB

              Download

            • memory/1524-43-0x000000006B280000-0x000000006B2A6000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1820-83-0x00007FF857370000-0x00007FF857E31000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/1820-102-0x000000001B150000-0x000000001B160000-memory.dmp

              Filesize

              64KB

              Download

            • memory/1820-84-0x0000000000D30000-0x0000000000D36000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1820-80-0x0000000000460000-0x0000000000490000-memory.dmp

              Filesize

              192KB

              Download

            • memory/1820-88-0x0000000000D60000-0x0000000000D66000-memory.dmp

              Filesize

              24KB

              Download

            • memory/1820-85-0x0000000000D40000-0x0000000000D62000-memory.dmp

              Filesize

              136KB

              Download

            • memory/3336-86-0x00007FF857370000-0x00007FF857E31000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3336-94-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3336-75-0x00000000009A0000-0x00000000009A8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/3336-111-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/3400-103-0x0000000001100000-0x0000000001116000-memory.dmp

              Filesize

              88KB

              Download

            • memory/4480-89-0x0000000003000000-0x0000000003100000-memory.dmp

              Filesize

              1024KB

              Download

            • memory/4480-98-0x0000000000400000-0x0000000002CBE000-memory.dmp

              Filesize

              40.7MB

              Download

            • memory/4480-93-0x00000000049A0000-0x0000000004A3D000-memory.dmp

              Filesize

              628KB

              Download