Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
134s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 16:06
Static task
static1
Behavioral task
behavioral1
Sample
#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s/Setup.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s/Setup.exe
Resource
win10v2004-20240412-en
General
-
Target
#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
048d5e906358321b51376c6237a65c77
https://redddog.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
048d5e906358321b51376c6237a65c77
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/2464-53-0x0000000000400000-0x0000000000B4B000-memory.dmp family_vidar_v7 behavioral1/memory/2464-73-0x0000000000400000-0x0000000000B4B000-memory.dmp family_vidar_v7 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1888 set thread context of 2664 1888 Setup.exe 28 -
Loads dropped DLL 6 IoCs
pid Process 2664 netsh.exe 2464 BvInputDiag.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe 2200 WerFault.exe -
Registers COM server for autorun 1 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Setup.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2200 2464 WerFault.exe 30 -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\RuntimeVersion = "v2.0.50727" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Office.Interop.Outlook, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\14.0.0.0\Class = "Microsoft.Office.Interop.Outlook._RecipientControlClass" Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1888 Setup.exe 1888 Setup.exe 2664 netsh.exe 2664 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1888 Setup.exe 2664 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 1888 wrote to memory of 2664 1888 Setup.exe 28 PID 1888 wrote to memory of 2664 1888 Setup.exe 28 PID 1888 wrote to memory of 2664 1888 Setup.exe 28 PID 1888 wrote to memory of 2664 1888 Setup.exe 28 PID 1888 wrote to memory of 2664 1888 Setup.exe 28 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2664 wrote to memory of 2464 2664 netsh.exe 30 PID 2464 wrote to memory of 2200 2464 BvInputDiag.exe 34 PID 2464 wrote to memory of 2200 2464 BvInputDiag.exe 34 PID 2464 wrote to memory of 2200 2464 BvInputDiag.exe 34 PID 2464 wrote to memory of 2200 2464 BvInputDiag.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exeC:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 14564⤵
- Loads dropped DLL
- Program crash
PID:2200
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
MD546cd4f9eb9f568e4f5aed28763c6fe87
SHA12d0e39c18637cf8d21f17360399576ce81914a27
SHA256ff8a898025e0ebc2992e0accd3f09d5607f739692c9506266a6ddd7ab316e6f2
SHA512873517ef7ea9154a8e84dbae805e07b1a3adde9d2846194b9608bc0d2ac195f8677a1d7a95cb5e59216c6966e0cb8ffd59e62f04d021df355f06e0a0f12dad2b
-
Filesize
136KB
MD53d754cfa4a5b2a3f19720550acf6d3cf
SHA1e5c78edbd54e14a42258a6c223d2cf128530e1b6
SHA2568e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8
SHA51218db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b