Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    134s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    24/04/2024, 16:06

General

  • Target

    #!NewFiile_7474_ṔḁṨṨCṏḌḙ$s/Setup.exe

  • Size

    8.5MB

  • MD5

    98169506fec94c2b12ba9930ad704515

  • SHA1

    bce662a9fb94551f648ba2d7e29659957fd6a428

  • SHA256

    9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363

  • SHA512

    7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30

  • SSDEEP

    196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK

Malware Config

Extracted

Family

vidar

Botnet

048d5e906358321b51376c6237a65c77

C2

https://redddog.xyz

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes
  • profile_id_v2

    048d5e906358321b51376c6237a65c77

  • user_agent

    Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

  • Detect Vidar Stealer 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Registers COM server for autorun 1 TTPs 8 IoCs
  • Program crash 1 IoCs
  • Modifies registry class 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\#!NewFiile_7474_ṔḁṨṨCṏḌḙ$s\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Suspicious use of SetThreadContext
    • Registers COM server for autorun
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Windows\SysWOW64\netsh.exe
      C:\Windows\SysWOW64\netsh.exe
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2664
      • C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
        C:\Users\Admin\AppData\Local\Temp\BvInputDiag.exe
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2464
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2464 -s 1456
          4⤵
          • Loads dropped DLL
          • Program crash
          PID:2200

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\a819b68a

    Filesize

    6.0MB

    MD5

    46cd4f9eb9f568e4f5aed28763c6fe87

    SHA1

    2d0e39c18637cf8d21f17360399576ce81914a27

    SHA256

    ff8a898025e0ebc2992e0accd3f09d5607f739692c9506266a6ddd7ab316e6f2

    SHA512

    873517ef7ea9154a8e84dbae805e07b1a3adde9d2846194b9608bc0d2ac195f8677a1d7a95cb5e59216c6966e0cb8ffd59e62f04d021df355f06e0a0f12dad2b

  • \Users\Admin\AppData\Local\Temp\BvInputDiag.exe

    Filesize

    136KB

    MD5

    3d754cfa4a5b2a3f19720550acf6d3cf

    SHA1

    e5c78edbd54e14a42258a6c223d2cf128530e1b6

    SHA256

    8e5e627881c8182bfbb64601c6f4f7b30ba950dfd10f638f404479406b2c03b8

    SHA512

    18db06443a718b8233ac9724e7f96310bf5841d2c980cd1d02e6fb6743e23acc13bd67fcd214b4c0650ac933f6f081759d699c73e14baf26ffc324c2b30f153b

  • memory/1888-16-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-10-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-15-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-0-0x0000000003D40000-0x0000000003F28000-memory.dmp

    Filesize

    1.9MB

  • memory/1888-17-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-19-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-20-0x00000000046A0000-0x0000000004A9A000-memory.dmp

    Filesize

    4.0MB

  • memory/1888-22-0x000007FEF64B0000-0x000007FEF6608000-memory.dmp

    Filesize

    1.3MB

  • memory/1888-36-0x000007FEF64B0000-0x000007FEF6608000-memory.dmp

    Filesize

    1.3MB

  • memory/1888-37-0x000007FEF64B0000-0x000007FEF6608000-memory.dmp

    Filesize

    1.3MB

  • memory/1888-12-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/1888-14-0x0000000000400000-0x0000000001CF7000-memory.dmp

    Filesize

    25.0MB

  • memory/2464-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2464-48-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2464-52-0x00000000775A0000-0x0000000077749000-memory.dmp

    Filesize

    1.7MB

  • memory/2464-53-0x0000000000400000-0x0000000000B4B000-memory.dmp

    Filesize

    7.3MB

  • memory/2464-73-0x0000000000400000-0x0000000000B4B000-memory.dmp

    Filesize

    7.3MB

  • memory/2664-42-0x00000000738A0000-0x0000000073A14000-memory.dmp

    Filesize

    1.5MB

  • memory/2664-46-0x00000000738A0000-0x0000000073A14000-memory.dmp

    Filesize

    1.5MB

  • memory/2664-40-0x00000000775A0000-0x0000000077749000-memory.dmp

    Filesize

    1.7MB

  • memory/2664-50-0x00000000738A0000-0x0000000073A14000-memory.dmp

    Filesize

    1.5MB