Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02/06/2024, 19:26
Static task
static1
Behavioral task
behavioral1
Sample
596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
Resource
win10v2004-20240426-en
General
-
Target
596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe
-
Size
3.8MB
-
MD5
95d720f33e58dc43ab85dd5cd63ea999
-
SHA1
0b5a4ddbec1f752562058ef003d52de121b6b41a
-
SHA256
596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990
-
SHA512
7873c47447a5a80e2e4149630fffbb924aaf9c044de02731497c7c510c944990b2b2cf8ef47ee49b248aebc3aa31dee15a0f0a99fd48da9d15a40d207ff53196
-
SSDEEP
98304:kEbiZXJXEr5iDe6yj2tqz+EIBIuY8KZQoQkRKwEpZDa10L:oXawyi4x6pHodIwELag
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2636 vs_setup_bootstrapper.exe -
Loads dropped DLL 26 IoCs
pid Process 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe 2636 vs_setup_bootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2636 vs_setup_bootstrapper.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2460 wrote to memory of 2636 2460 596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe 28 PID 2636 wrote to memory of 2276 2636 vs_setup_bootstrapper.exe 29 PID 2636 wrote to memory of 2276 2636 vs_setup_bootstrapper.exe 29 PID 2636 wrote to memory of 2276 2636 vs_setup_bootstrapper.exe 29 PID 2636 wrote to memory of 2276 2636 vs_setup_bootstrapper.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe"C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\596682f6048e71dc66a3134f814ecdb4d0d722bfbbdbb384283034f4d83b5990.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\getmac.exe"getmac"3⤵PID:2276
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406021926097434.json
Filesize165B
MD5dae30b60e540cd3509d2f3abb6d4bec6
SHA16ad6db8516b6cbd77b5f709e04ff964991c9ae8a
SHA256a6e6d2fe55f6b542960b26e095c71277a05852854b2e785a6bffb55aaa59a50a
SHA51219595061aa05f7cb8898b0b84d8967e77ffd37e8edbe2eb82bf9de12c2f5a4abf2d6616f557db95955f0f2856674193d9822e01b18fdb17a27074b78eeb0db63
-
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelAIF-312cbd79-9dbb-4c48-a7da-3cc2a931cb70\20240602192643_dfba1b84d0b74da1a99bbe1d175ab210.trn
Filesize6KB
MD529f740ca4a0666c808bd59107d33d3f9
SHA1c3d952696f9731bab1fd3e7912a919665eace175
SHA2567179497b3a87c8cbdcd74cb3d95e09ed26de419669dbb0ff49e1fc94881eac82
SHA51223b7f9af4398e53056da0ff50763b3e30a585f28a22d4abef7305a36731c643eb8b49e4d1a8524fcdf36b85e94540cb594104da2c3f06acffe036f84d23cc351
-
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize579KB
MD508645c50cb281af1371e8f0ded10ab67
SHA1ae06060913c4be03af0e1736650d64e8cda7ad55
SHA2567bfa4386a603b98af49099d67f5c5d1e7a50b15107f9780e7f7f50f39234bed9
SHA512bfb8a02db556bd1e7808fcaed00bcb938758eefd21f04bd47c6c5a04293b781189ec88a31210efd6972be364334fd5e25ba6a83c972c5ec4cf0b8726cb4a77f5
-
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize306KB
MD58a9cbbe63d730d60ef5159bed516bc78
SHA1130c25908dd4201db8e6a2f2319eafc86114b7c3
SHA2564e94690f548ef43a279a1f55807713eb970fa7a0fc9e64602779595778766064
SHA512102ed30752a61712b024c5460e895e161ba22f4583f1148f6c0704edaebf703eeb7b65bd393ffd056df837d5b57220b7b87bc635884b5aa1d6516afb36370c46
-
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD5da8106a5723b5d66cd6b1713ece8b91b
SHA173bfd5942bdacc4c87b003c6c5555fea4ba6251f
SHA2567c481dc4e4c2ed5df782a794f571808aec82a71c4fdb1054939a42c4b9f368aa
SHA512eec20eb53e88e6a96ecaa8496256235176ce586563d8c29d1c3537b5e34213209bd225235ae253b60a7266aaac56e655af229ba6b89b87ad24f4ce4349f0cbb2
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize622B
MD5a15d28f236710c6f051eaa6f9965d139
SHA13d134e1e4395bea6f5baf92757f49a7f83ae6e5e
SHA256b593987c933ee765a347e5db460af67b94953de48b1c5075c6e24f8c970b8a61
SHA512e07d0b56f9b6d1b531d6e28c343c47f0cacfd180ab57076210bcbe285e173c1738d436a9a3b294669d6410be544cb050b69aa4b08f3f0bb7c834b40cb0d42f4e
-
C:\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize2KB
MD5c301859aef3bf4c0914914e5807f6a5b
SHA1908827ce12d093d2aa3d1e8baa8caf8bfe204fbd
SHA256781ec48ae412ba18c2cea1b67f5bc4a33245fd5f96dbb0e58b218c98ee03785d
SHA5120b9eeb0288b01ddfde11404b15378694145978bdd664b68befe5f776f65f950d35f54b7f29662a64ff91feb4dc0e9bd537864e46a1f3f252e8113ddf95f32f0b
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize18KB
MD5c5e7c4a539ea834661fe20f994330f7e
SHA1e2ff1096f557212dde051887bfd4a450b23e9277
SHA256bc53c6fb22f4bce970c87122579caf785f75cbc91d49f49e54229ba32ac7d447
SHA5127f3f32146637e7393f3f906ece45780c1082ac661fc8f6d88f469e0ca951e9a6bcbac4be8959359559e097ebeec8eb048407cb3276f0a7007c50298ee1294a07
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize115KB
MD5aabfd8a438ae79b4f236ec3b45544dd2
SHA132b026ab6dd4ce60c16fa48690f32632f7f4ac17
SHA25695cb344b58ed754e25f60c44f32303de9e65da603db06a9321d137580b3657ca
SHA5126eb438b1fa9bc62c1356d8f21b0706799d94024cf0c013fb435caaba82e0c6bbe3570edc91c71d36e906be0a28e1da854a47a377fa487aefcd5662eea85a1993
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize995KB
MD5bbcc8244db84ad2031ac010633abf798
SHA1de0cb65ee877663da272b4162a55a64ab8669f74
SHA2568fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d
SHA512d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize62KB
MD52dc1dc66b267a3470add7fab88b78069
SHA1dbe80047475b503791038ed7e47389c062c15c72
SHA256b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c
SHA51244ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\Newtonsoft.Json.dll
Filesize695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\System.Memory.dll
Filesize138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
\Users\Admin\AppData\Local\Temp\766eb8a9f30a810f8ddca8560e3c5e\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
Filesize404KB
MD54108506d8cdc3a03bb7e4496025ee902
SHA1a02d206f205a1a45b5223a73bfe84e25b359d251
SHA256f9bf0a30395e521d65fb1e39a6a76e19c061a8d3806653fc7f5b28b9fb327903
SHA512b4a7aa0c65e3a3279d0845a02e896a85d5f5074a79ee3ab52a8aa422fab759d4fab177961c03f280ca7499e10678d29e951946283b26d2ca107d5be76c76e8e8