Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
131s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/04/2024, 10:12
Static task
static1
Behavioral task
behavioral1
Sample
@#LATEST_SoftWare_2024_PASSCODE_$.rar
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
@#LATEST_SoftWare_2024_PASSCODE_$.rar
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
@#LATEST_SoftWare_2024_PASSCODE_$.rar
Resource
win10v2004-20240419-en
Behavioral task
behavioral4
Sample
@#LATEST_SoftWare_2024_PASSCODE_$.rar
Resource
win11-20240419-en
General
-
Target
@#LATEST_SoftWare_2024_PASSCODE_$.rar
-
Size
51.5MB
-
MD5
c7c3d6aaa70594d6df0b8f3f40a7e2f6
-
SHA1
74f4da75221222f336009025a358366eaf6c1d68
-
SHA256
979e872622b1ae7ca6e9cb3599de8e400b3bfe537d3cb64261dffaa7956baa50
-
SHA512
c23ea4a4c280a529e798a89525fa14b02156d18e8029edb93920dcc1144d1346eb5ff18ebbc80caf55ab391205d7fa0b19d5dab1e029db523648e4b26f7af0b1
-
SSDEEP
786432:dMPQ7x53FKvsZTMlKxppk7c8joaJ6eWd7Gt9BZjQZfDG3q9PhUwuMr+NegCHR:dMP+/3F6StAoalWd7wOFawVRj
Malware Config
Extracted
vidar
04eb8f77b9c9e4d5a6a6e5a3b727c27e
https://graims.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
04eb8f77b9c9e4d5a6a6e5a3b727c27e
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral4/memory/2832-388-0x0000000000FB0000-0x0000000001702000-memory.dmp family_vidar_v7 behavioral4/memory/2832-390-0x0000000000FB0000-0x0000000001702000-memory.dmp family_vidar_v7 behavioral4/memory/2832-391-0x0000000000FB0000-0x0000000001702000-memory.dmp family_vidar_v7 -
Executes dropped EXE 1 IoCs
pid Process 2644 Setup.exe -
Loads dropped DLL 5 IoCs
pid Process 2644 Setup.exe 2644 Setup.exe 2644 Setup.exe 2644 Setup.exe 2832 PsExec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2644 set thread context of 896 2644 Setup.exe 91 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 4448 2832 WerFault.exe 93 -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-293923083-2364846840-4256557006-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2644 Setup.exe 2644 Setup.exe 896 ftp.exe 896 ftp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5052 7zFM.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2644 Setup.exe 896 ftp.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 5052 7zFM.exe Token: 35 5052 7zFM.exe Token: SeSecurityPrivilege 5052 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5052 7zFM.exe 5052 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3612 OpenWith.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2644 wrote to memory of 896 2644 Setup.exe 91 PID 2644 wrote to memory of 896 2644 Setup.exe 91 PID 2644 wrote to memory of 896 2644 Setup.exe 91 PID 2644 wrote to memory of 896 2644 Setup.exe 91 PID 896 wrote to memory of 2832 896 ftp.exe 93 PID 896 wrote to memory of 2832 896 ftp.exe 93 PID 896 wrote to memory of 2832 896 ftp.exe 93 PID 896 wrote to memory of 2832 896 ftp.exe 93 PID 896 wrote to memory of 2832 896 ftp.exe 93
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar1⤵
- Modifies registry class
PID:1592
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3612
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1188
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\@#LATEST_SoftWare_2024_PASSCODE_$.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5052
-
C:\Users\Admin\Desktop\New folder\Setup.exe"C:\Users\Admin\Desktop\New folder\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\ftp.exeC:\Windows\SysWOW64\ftp.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Users\Admin\AppData\Local\Temp\PsExec.exeC:\Users\Admin\AppData\Local\Temp\PsExec.exe3⤵
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2832 -s 15564⤵
- Program crash
PID:4448
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2832 -ip 28321⤵PID:4000
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14KB
MD5df6174acdde9286d5320b1263e26a1d9
SHA1d79566c2c329b21ca0488087d87643d3db25b9cd
SHA256489d01263901786804230863bf76507852fda144e7cfebe58973932e420239c9
SHA512581556738de40ece831dc90ba0df4288ea4b53e5e32c009b403457f1e72f975c65334b67a9998ec5c27bf41e0d1709d9f9a7c33c1699c7d39f94681a83f1de7f
-
Filesize
699KB
MD524a648a48741b1ac809e47b9543c6f12
SHA13e2272b916da4be3c120d17490423230ab62c174
SHA256078163d5c16f64caa5a14784323fd51451b8c831c73396b967b4e35e6879937b
SHA512b974ce956f2e922e92ca414d1bd6cc7bcb36bc44532b28b392f2a8052d6d47fd742841c4add6ec5c8283d28d7245b1704af34a523917e49cef007eef700a0b9a
-
Filesize
6.6MB
MD5a398db349ff9447473cb81253565f644
SHA13a5e7cf632a25ca8ab70f9dcbd01ea261adbec27
SHA256cf3a1b68ce7f7ada5e55780a95e77007f7d898616b2ccc7debb8aa8e726407a5
SHA5125f2b949995a256bd5ab05943eefa7e77ccf01c890e5758dc57aed77665208e880e618a2fc7a2b0e0c464857e494359ae2635d95efc3c3cfaafce3eb4e14a5956
-
Filesize
31KB
MD567dedab5bc0159f7cc61cb4b46daa6f1
SHA15d57ef4bd9b6ac672c413c5e8495263672f090e3
SHA2560e6f5eaa2cd91747213f6aec05e3de6fb46ea2b7cf4d5f3ac267128abc784d00
SHA5124c7ed5d6e0a76ac6eec79e50ae9cd4b5fe3eacda574606e47d85bba1739902d688aa6f5ec03e7863ec9d36bdadf6229f64bce8fe33bacf38e84e50332a30caf0
-
Filesize
52KB
MD55c1674067e3ef99382ab283fc7e969e3
SHA13c2fe52472aaedf690bab16fa801bbe4b36002cf
SHA25691fd630301631b88685602bf0d7353585c18e589189ed11ec620b37021683553
SHA51217f6fb9675c6f106789dba4e3df8adcaf4a297ad08bc28a223694e2080d61e7901a612b1c4dab674467241ddeb72597bc19db866247debdc0e32480bd53f9ac2
-
Filesize
6.0MB
MD5a1eaf011cca5726076ccfca62fd90a11
SHA1b92e274b4793d2f4e69111ccdf93182e7e7ddb64
SHA25611336a2aa99ff767dc4e547f8ce5924abeb2e440f6373e82dbd13c5c3ac873ff
SHA512ffa07420d4a8a3a9828d079f5ff043f1c70704bcac74d10d59bdd52d56e84aad39cd14610c53b8229710b5faccccd3d58a1e8ce36fc472df58cec5802acf1402
-
Filesize
1.0MB
MD52c86ec2ba23eb138528d70eef98e9aaf
SHA1246846a3fe46df492f0887a31f7d52aae4faa71a
SHA256030983470da06708cc55fd6aca92df199a051922b580db5db55c8cb6b203b51b
SHA512396a3883fa65d7c3a0af7d607001a6099316a85563147cb34fa9806c9a4b39cfa90c7fa9eb4456399977eb47438d10896d25ed5327ae7aa3e3ae28cd1d13701c
-
Filesize
1.1MB
MD5862dfc9bf209a46d6f4874614a6631cc
SHA143216aae64df217cba009145b6f9ad5b97fe927a
SHA25684538f1aacebf9daad9fdb856611ab3d98a6d71c9ec79a8250eee694d2652a8b
SHA512b0611cd9ad441871cca62291913197257660390fa4ea8a26cb41dc343a8a27ae111762de40c6f50cae3e365d8891500fc6ad0571aa3cd3a77eb83d9d488d19a8
-
Filesize
87KB
MD5d1a21e38593fddba8e51ed6bf7acf404
SHA1759f16325f0920933ac977909b7fe261e0e129e6
SHA2566a64c9cb0904ed48ce0d5cda137fcfd6dd463d84681436ca647b195aa2038a7e
SHA5123f4390603cd68d949eb938c1599503fb1cbb1b8250638e0985fad2f40f08d5e45ea4a8c149e44a50c6aa9077054387c48f71b53bf06b713ca1e73a3d5a6a6c2e
-
Filesize
617KB
MD5f59ab22b88d1b2081810739c72bfa307
SHA1e8c4651f185225b3da91e2e24a17fcb95fc40773
SHA2560388d021f33fb0b922011854e3b49427c4ab38689f7d1ce663e9def6edc323f4
SHA512e67c93b2b6eeeeb95396e6c7cf7217cc8503d8e6824a7941d6fb2d971049abeb974e880392868b0687b16eef41cdb70ef70b70fa92ab284d863105324ab819dd