Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
209s -
max time network
222s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20/01/2025, 21:44
General
-
Target
index.ps1
-
Size
34B
-
MD5
d83c49ed6318ba5e402c311cd7e55c3f
-
SHA1
50520860840fab9b9aebf90b3e16f2466613d5d0
-
SHA256
e4b94bbbc90229ebdfc4a28028890d73fc085f460e9dac460bb4192417b4d7d3
-
SHA512
eb747e268fde9971416c156267a17a698e0a10209b48a75b2b77987fadc496b82e18e8441ccaac854feb37d828868e70469e45c4549db8587e01d171fc444e10
Malware Config
Extracted
vidar
fc0stn
https://t.me/w0ctzn
https://steamcommunity.com/profiles/76561199817305251
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\index.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\688fdb1d-d280-4c8d-917e-c381a64091f5\updater.exe"C:\Users\Admin\AppData\Local\688fdb1d-d280-4c8d-917e-c381a64091f5\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"1⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\4acf8ac2-e0cf-4ffa-9abc-f79e8bd4d00f\updater.exe"C:\Users\Admin\AppData\Local\4acf8ac2-e0cf-4ffa-9abc-f79e8bd4d00f\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
734B
MD5e192462f281446b5d1500d474fbacc4b
SHA15ed0044ac937193b78f9878ad7bac5c9ff7534ff
SHA256f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60
SHA512cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3
-
Filesize
344B
MD57ac7ff0af939af20b4c249825d91cc7c
SHA1f2fca96f084903642a67f44443b5bea851a0d3c1
SHA256d19928671a68a83ac985d5881aa45bea0cd35789adc8103580a4d10d67028f3e
SHA5129bccdcbd31bd0297ad3feadb230212e7ad4c95f6c9f784008657233d9c3394e12c0d2260d5cfba16d07ec954a242d9d0ee28c7bf370f9bcaa8dbd401178ebaae
-
Filesize
192B
MD5c519352b0aa71ea6ec862c409b21fb41
SHA13e18b364d6a826b5a5ccc0e76ae326c85910beb3
SHA2567ccdf977ee8727843e3628f48a4643c766ec6e59fe3cdf1ab5b57061c12dad07
SHA51267b79327517c372fc070d131975019be43e8266214c21243a503e6584f5ec9753445df9aa1889eca8d92ff0c299fce5abbcbfd2cb8b81fd223a702ce3688cdeb
-
Filesize
540B
MD598e32392689e8001291629bf9dc9e6c1
SHA10d6739cba1a7b301b81eb2bedeb4a93999a0a7a5
SHA256afb45d61e8562cac10761ddec20373abef89b9a4ba359a9c7d540a7ff4bfaff5
SHA5127a6ded1106fc74836537d7ad7801b5583c700632fe5a663daeaba4c1059802a0d358fdcd92a21685876258b8d3ec846a7254245dd7b4dd1e4dfd4655faab2632
-
Filesize
9.8MB
MD52a7ec240fa5e25c92b2b78c4f1002ea0
SHA1bca1465b8bafa5fe58d96d4289356d40c3d44155
SHA2562c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca
SHA512dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3
-
Filesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
10.8MB
-
Filesize
2.1MB
-
Filesize
10.8MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
7.6MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
472KB
-
Filesize
272KB