Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    120s
  • max time network
    131s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    29/04/2024, 10:12

General

  • Target

    @#LATEST_SoftWare_2024_PASSCODE_$.rar

  • Size

    51.5MB

  • MD5

    c7c3d6aaa70594d6df0b8f3f40a7e2f6

  • SHA1

    74f4da75221222f336009025a358366eaf6c1d68

  • SHA256

    979e872622b1ae7ca6e9cb3599de8e400b3bfe537d3cb64261dffaa7956baa50

  • SHA512

    c23ea4a4c280a529e798a89525fa14b02156d18e8029edb93920dcc1144d1346eb5ff18ebbc80caf55ab391205d7fa0b19d5dab1e029db523648e4b26f7af0b1

  • SSDEEP

    786432:dMPQ7x53FKvsZTMlKxppk7c8joaJ6eWd7Gt9BZjQZfDG3q9PhUwuMr+NegCHR:dMP+/3F6StAoalWd7wOFawVRj

Malware Config

Extracted

Family

vidar

Botnet

04eb8f77b9c9e4d5a6a6e5a3b727c27e

C2

https://graims.xyz

https://steamcommunity.com/profiles/76561199677575543

https://t.me/snsb82

Attributes
  • profile_id_v2

    04eb8f77b9c9e4d5a6a6e5a3b727c27e

  • user_agent

    Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6

Signatures

  • Detect Vidar Stealer 3 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar
    1⤵
    • Modifies registry class
    PID:1592
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3612
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1188
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar"
      1⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:5052
    • C:\Users\Admin\Desktop\New folder\Setup.exe
      "C:\Users\Admin\Desktop\New folder\Setup.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\ftp.exe
        C:\Windows\SysWOW64\ftp.exe
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Users\Admin\AppData\Local\Temp\PsExec.exe
          C:\Users\Admin\AppData\Local\Temp\PsExec.exe
          3⤵
          • Loads dropped DLL
          PID:2832
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 1556
            4⤵
            • Program crash
            PID:4448
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 2832
      1⤵
        PID:4000

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

        Filesize

        14KB

        MD5

        df6174acdde9286d5320b1263e26a1d9

        SHA1

        d79566c2c329b21ca0488087d87643d3db25b9cd

        SHA256

        489d01263901786804230863bf76507852fda144e7cfebe58973932e420239c9

        SHA512

        581556738de40ece831dc90ba0df4288ea4b53e5e32c009b403457f1e72f975c65334b67a9998ec5c27bf41e0d1709d9f9a7c33c1699c7d39f94681a83f1de7f

      • C:\Users\Admin\AppData\Local\Temp\PsExec.exe

        Filesize

        699KB

        MD5

        24a648a48741b1ac809e47b9543c6f12

        SHA1

        3e2272b916da4be3c120d17490423230ab62c174

        SHA256

        078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b

        SHA512

        b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a

      • C:\Users\Admin\AppData\Local\Temp\fb7c8e7d

        Filesize

        6.6MB

        MD5

        a398db349ff9447473cb81253565f644

        SHA1

        3a5e7cf632a25ca8ab70f9dcbd01ea261adbec27

        SHA256

        cf3a1b68ce7f7ada5e55780a95e77007f7d898616b2ccc7debb8aa8e726407a5

        SHA512

        5f2b949995a256bd5ab05943eefa7e77ccf01c890e5758dc57aed77665208e880e618a2fc7a2b0e0c464857e494359ae2635d95efc3c3cfaafce3eb4e14a5956

      • C:\Users\Admin\Desktop\New folder\Setup.exe

        Filesize

        31KB

        MD5

        67dedab5bc0159f7cc61cb4b46daa6f1

        SHA1

        5d57ef4bd9b6ac672c413c5e8495263672f090e3

        SHA256

        0e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00

        SHA512

        4c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0

      • C:\Users\Admin\Desktop\New folder\bersagliere.yml

        Filesize

        52KB

        MD5

        5c1674067e3ef99382ab283fc7e969e3

        SHA1

        3c2fe52472aaedf690bab16fa801bbe4b36002cf

        SHA256

        91fd630301631b88685602bf0d7353585c18e589189ed11ec620b37021683553

        SHA512

        17f6fb9675c6f106789dba4e3df8adcaf4a297ad08bc28a223694e2080d61e7901a612b1c4dab674467241ddeb72597bc19db866247debdc0e32480bd53f9ac2

      • C:\Users\Admin\Desktop\New folder\bivouac.m4a

        Filesize

        6.0MB

        MD5

        a1eaf011cca5726076ccfca62fd90a11

        SHA1

        b92e274b4793d2f4e69111ccdf93182e7e7ddb64

        SHA256

        11336a2aa99ff767dc4e547f8ce5924abeb2e440f6373e82dbd13c5c3ac873ff

        SHA512

        ffa07420d4a8a3a9828d079f5ff043f1c70704bcac74d10d59bdd52d56e84aad39cd14610c53b8229710b5faccccd3d58a1e8ce36fc472df58cec5802acf1402

      • C:\Users\Admin\Desktop\New folder\glib-2.0.dll

        Filesize

        1.0MB

        MD5

        2c86ec2ba23eb138528d70eef98e9aaf

        SHA1

        246846a3fe46df492f0887a31f7d52aae4faa71a

        SHA256

        030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b

        SHA512

        396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c

      • C:\Users\Admin\Desktop\New folder\iconv.dll

        Filesize

        1.1MB

        MD5

        862dfc9bf209a46d6f4874614a6631cc

        SHA1

        43216aae64df217cba009145b6f9ad5b97fe927a

        SHA256

        84538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b

        SHA512

        b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8

      • C:\Users\Admin\Desktop\New folder\intl.dll

        Filesize

        87KB

        MD5

        d1a21e38593fddba8e51ed6bf7acf404

        SHA1

        759f16325f0920933ac977909b7fe261e0e129e6

        SHA256

        6a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e

        SHA512

        3f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e

      • C:\Users\Admin\Desktop\New folder\vmtools.dll

        Filesize

        617KB

        MD5

        f59ab22b88d1b2081810739c72bfa307

        SHA1

        e8c4651f185225b3da91e2e24a17fcb95fc40773

        SHA256

        0388d021f33fb0b922011854e3b49427c4ab38689f7d1ce663e9def6edc323f4

        SHA512

        e67c93b2b6eeeeb95396e6c7cf7217cc8503d8e6824a7941d6fb2d971049abeb974e880392868b0687b16eef41cdb70ef70b70fa92ab284d863105324ab819dd

      • memory/896-378-0x00007FFECD1C0000-0x00007FFECD3C9000-memory.dmp

        Filesize

        2.0MB

      • memory/896-380-0x00000000740E0000-0x000000007425D000-memory.dmp

        Filesize

        1.5MB

      • memory/2644-375-0x00000000740E0000-0x000000007425D000-memory.dmp

        Filesize

        1.5MB

      • memory/2644-368-0x00007FFECD1C0000-0x00007FFECD3C9000-memory.dmp

        Filesize

        2.0MB

      • memory/2644-367-0x00000000740E0000-0x000000007425D000-memory.dmp

        Filesize

        1.5MB

      • memory/2832-387-0x00007FFECD1C0000-0x00007FFECD3C9000-memory.dmp

        Filesize

        2.0MB

      • memory/2832-388-0x0000000000FB0000-0x0000000001702000-memory.dmp

        Filesize

        7.3MB

      • memory/2832-390-0x0000000000FB0000-0x0000000001702000-memory.dmp

        Filesize

        7.3MB

      • memory/2832-391-0x0000000000FB0000-0x0000000001702000-memory.dmp

        Filesize

        7.3MB