Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
21/11/2024, 04:32 UTC
General
-
Target
85724f031d04bb522aefd90e74a81c602afdfc2d7b3d3d78f954c9159d5d64c5.exe
-
Size
743KB
-
MD5
86e301b04b625292cef7868eff6264ea
-
SHA1
8478ff0b1adea6d635e5cf5df356b136848b5a6f
-
SHA256
85724f031d04bb522aefd90e74a81c602afdfc2d7b3d3d78f954c9159d5d64c5
-
SHA512
2c713c623b196c3e226999a2345dc7876f28b23fd2cd0b9ad3c231405652b592c7c5aefe661f6af54f4267795cc616a0fec1a2e3651caca9caa9cc9052ae51c1
-
SSDEEP
12288:+MMiWYmp51qeCKgI9i7nqmLRnDTdqPffFAL+AbkG2AzlEDivr/+sS2HUaEfeMufk:+Pjp54e9gI9i7DZHq1ALxuum3sSCNzkF
Score
10/10
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
903
C2
https://mas.to/@oleg98
Attributes
-
profile_id
903
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Vidar Stealer 5 IoCs
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\85724f031d04bb522aefd90e74a81c602afdfc2d7b3d3d78f954c9159d5d64c5.exe"C:\Users\Admin\AppData\Local\Temp\85724f031d04bb522aefd90e74a81c602afdfc2d7b3d3d78f954c9159d5d64c5.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2656 -s 12962⤵
- Program crash
-
Network
-
DNSmas.toRemote address:8.8.8.8:53Requestmas.toIN AResponsemas.toIN A172.67.166.96mas.toIN A104.21.11.154 -
GEThttps://mas.to/@oleg98Remote address:172.67.166.96:443RequestGET /@oleg98 HTTP/1.1
Host: mas.to
ResponseHTTP/1.1 410 Gone
Date: Thu, 21 Nov 2024 04:33:05 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
x-frame-options: DENY
x-content-type-options: nosniff
x-xss-protection: 0
referrer-policy: same-origin
Cache-Control: max-age=180, public
content-security-policy: base-uri 'none'; default-src 'none'; frame-ancestors 'none'; font-src 'self' https://mas.to; img-src 'self' data: blob: https://mas.to https://media.mas.to; style-src 'self' https://mas.to 'nonce-1GmtM2tV36mBEJWRWl64zQ=='; media-src 'self' data: https://mas.to https://media.mas.to; manifest-src 'self' https://mas.to; form-action 'none'; child-src 'self' blob: https://mas.to; worker-src 'self' blob: https://mas.to; connect-src 'self' data: blob: https://mas.to https://media.mas.to wss://mas.to; script-src 'self' https://mas.to 'wasm-unsafe-eval'; frame-src 'self' https:
x-request-id: 3c49426e-40e0-4410-8edd-1cbe4bc4d9b1
x-runtime: 0.007433
strict-transport-security: max-age=63072000; includeSubDomains
vary: Accept, Accept-Language, Cookie, Origin
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7s5PYEuaANFD%2FV3NPSDEwf8cUF97zh2KOHj0%2BHl%2BWwLBxsbMrNPihdwohENT2%2BrnQniAGCfk1LYzKvIYlW3fgLgChNjeoF97oTVDDh5Mu0U7CF9%2BjrbIH68%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 8e5df5a9688988bc-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=85409&sent=6&recv=7&lost=0&retrans=0&sent_bytes=3117&recv_bytes=351&delivery_rate=61626&cwnd=252&unsent_bytes=0&cid=5a2652e6b2ce7254&ts=584&x=0"
-
DNSc.pki.googRemote address:8.8.8.8:53Requestc.pki.googIN AResponsec.pki.googIN CNAMEpki-goog.l.google.compki-goog.l.google.comIN A142.250.200.3
-
GEThttp://c.pki.goog/r/gsr1.crlRemote address:142.250.200.3:80RequestGET /r/gsr1.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 1739
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 21 Nov 2024 04:24:01 GMT
Expires: Thu, 21 Nov 2024 05:14:01 GMT
Cache-Control: public, max-age=3000
Age: 544
Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
GEThttp://c.pki.goog/r/r4.crlRemote address:142.250.200.3:80RequestGET /r/r4.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: c.pki.goog
ResponseHTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
Cross-Origin-Resource-Policy: cross-origin
Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
Content-Length: 436
X-Content-Type-Options: nosniff
Server: sffe
X-XSS-Protection: 0
Date: Thu, 21 Nov 2024 03:47:47 GMT
Expires: Thu, 21 Nov 2024 04:37:47 GMT
Cache-Control: public, max-age=3000
Age: 2718
Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
Content-Type: application/pkix-crl
Vary: Accept-Encoding
-
DNSwww.microsoft.comRemote address:8.8.8.8:53Requestwww.microsoft.comIN AResponsewww.microsoft.comIN CNAMEwww.microsoft.com-c-3.edgekey.netwww.microsoft.com-c-3.edgekey.netIN CNAMEwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netwww.microsoft.com-c-3.edgekey.net.globalredir.akadns.netIN CNAMEe13678.dscb.akamaiedge.nete13678.dscb.akamaiedge.netIN A95.100.245.144
-
GEThttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlRemote address:95.100.245.144:80RequestGET /pkiops/crl/MicCodSigPCA2011_2011-07-08.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sun, 18 Aug 2024 00:23:49 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: www.microsoft.com
ResponseHTTP/1.1 200 OK
Content-Length: 1078
Content-Type: application/octet-stream
Content-MD5: PjrtHAukbJio72s77Ag5mA==
Last-Modified: Thu, 31 Oct 2024 23:26:09 GMT
ETag: 0x8DCFA0366D6C4CA
x-ms-request-id: e4f947ba-101e-006b-4fef-2bd01e000000
x-ms-version: 2009-09-19
x-ms-lease-status: unlocked
x-ms-blob-type: BlockBlob
X-EdgeConnect-Origin-MEX-Latency: 111
Date: Thu, 21 Nov 2024 04:33:36 GMT
Connection: keep-alive
TLS_version: UNKNOWN
ms-cv: CASMicrosoftCV34127e48.0
ms-cv-esi: CASMicrosoftCV34127e48.0
X-RTag: RT
-
172.67.166.96:443https://mas.to/@oleg98tls, http
HTTP Request
GET https://mas.to/@oleg98HTTP Response
410 -
142.250.200.3:80http://c.pki.goog/r/r4.crlhttp
HTTP Request
GET http://c.pki.goog/r/gsr1.crlHTTP Response
200HTTP Request
GET http://c.pki.goog/r/r4.crlHTTP Response
200 -
95.100.245.144:80http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlhttp
HTTP Request
GET http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crlHTTP Response
200
-
8.8.8.8:53mas.todns
DNS Request
mas.to
DNS Response
172.67.166.96104.21.11.154
-
8.8.8.8:53c.pki.googdns
DNS Request
c.pki.goog
DNS Response
142.250.200.3
-
8.8.8.8:53www.microsoft.comdns
DNS Request
www.microsoft.com
DNS Response
95.100.245.144
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1024KB
-
Filesize
856KB
-
Filesize
868KB
-
Filesize
868KB
-
Filesize
1024KB
-
Filesize
856KB
-
Filesize
19.2MB