Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01/05/2024, 19:45
Static task
static1
Behavioral task
behavioral1
Sample
#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$/Setup.exe
Resource
win10v2004-20240419-en
General
-
Target
#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
103d649c56bb88ab1c068fc5f04f3422
https://hypaton.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
103d649c56bb88ab1c068fc5f04f3422
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 3 IoCs
resource yara_rule behavioral1/memory/4500-45-0x0000000000430000-0x0000000000B83000-memory.dmp family_vidar_v7 behavioral1/memory/4500-54-0x0000000000430000-0x0000000000B83000-memory.dmp family_vidar_v7 behavioral1/memory/4500-55-0x0000000000430000-0x0000000000B83000-memory.dmp family_vidar_v7 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4340 set thread context of 2376 4340 Setup.exe 88 -
Registers COM server for autorun 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE" Setup.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3260 4500 WerFault.exe 95 -
Modifies registry class 48 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\3 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\3\ = "HTML Format,1,1,3" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\2\ = "Picture" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\3\ = "Microsoft Word" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable\Main Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\1 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocHandler32\ = "ole32.dll" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\0 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "Word.Picture" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile\ = "MSWordDoc" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2\ = "3,1,32,3" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\4\ = "Rich Text Format,1,1,3" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\AuxUserType\2 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\1\ = "1,1,1,3" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MiscStatus\ = "0" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NotInsertable\ Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version\ = "9" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\DefaultFile Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\0\ = "Embed_Source,1,8,1" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\MiscStatus Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Version Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\TypeLib\ = "{00020905-0000-0000-C000-000000000046}" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\2 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DefaultIcon\ = "C:\\Program Files\\Microsoft Office\\Root\\VFS\\Windows\\Installer\\{90160000-000F-0000-1000-0000000FF1CE}\\wordicon.exe,1" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocHandler32 Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\NotInsertable Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "Word.Picture.8" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\0\ = "&Edit,0,2" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "Microsoft Word Picture" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Conversion\Readable\Main\ = "MSDraw,Word.Picture.6,1" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\DataFormats\GetSet\4 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\LocalServer32\ = "C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\Verb\1\ = "&Open,0,2" Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4340 Setup.exe 4340 Setup.exe 2376 netsh.exe 2376 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4340 Setup.exe 2376 netsh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 4340 wrote to memory of 2376 4340 Setup.exe 88 PID 4340 wrote to memory of 2376 4340 Setup.exe 88 PID 4340 wrote to memory of 2376 4340 Setup.exe 88 PID 4340 wrote to memory of 2376 4340 Setup.exe 88 PID 2376 wrote to memory of 4500 2376 netsh.exe 95 PID 2376 wrote to memory of 4500 2376 netsh.exe 95 PID 2376 wrote to memory of 4500 2376 netsh.exe 95 PID 2376 wrote to memory of 4500 2376 netsh.exe 95 PID 2376 wrote to memory of 4500 2376 netsh.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#@!~OPEN_Fiile_9091_ṔḁṨṨCṏḌḙ$$\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵PID:4500
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4500 -s 16204⤵
- Program crash
PID:3260
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4500 -ip 45001⤵PID:1104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.9MB
MD5e8279b01376ba21658f0d22e4257ba2d
SHA1e896a9228c51e804cd19443941cec7378fef5da7
SHA2564bbb8cf038094e5db0054c5b34ec9cbac1d581ec7d01c0c223f0883020f6b27d
SHA51289e6d34bc0deb094375b5f4174f032a6749c5ef765ff44b9ebecef4dff218be69e289d045d4c0a3b9deaa652e95635b198c18356f81b08522c2e9fbbb04b2ec8