Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

20/01/2025, 22:03

250120-1ye4js1pgl 10

20/01/2025, 21:44

250120-1lsh4s1kbj 10

Analysis

  • max time kernel
    65s
  • max time network
    71s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/01/2025, 22:03

General

  • Target

    index.ps1

  • Size

    34B

  • MD5

    d83c49ed6318ba5e402c311cd7e55c3f

  • SHA1

    50520860840fab9b9aebf90b3e16f2466613d5d0

  • SHA256

    e4b94bbbc90229ebdfc4a28028890d73fc085f460e9dac460bb4192417b4d7d3

  • SHA512

    eb747e268fde9971416c156267a17a698e0a10209b48a75b2b77987fadc496b82e18e8441ccaac854feb37d828868e70469e45c4549db8587e01d171fc444e10

Malware Config

Extracted

Family

vidar

Botnet

fc0stn

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\index.ps1
    1⤵
    • Blocklisted process makes network request
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Users\Admin\AppData\Local\3a98d52f-d7c8-4f2e-be12-39e2ff7f54f9\updater.exe
      "C:\Users\Admin\AppData\Local\3a98d52f-d7c8-4f2e-be12-39e2ff7f54f9\updater.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
        "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\3a98d52f-d7c8-4f2e-be12-39e2ff7f54f9\updater.exe

    Filesize

    9.8MB

    MD5

    2a7ec240fa5e25c92b2b78c4f1002ea0

    SHA1

    bca1465b8bafa5fe58d96d4289356d40c3d44155

    SHA256

    2c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca

    SHA512

    dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pn5qt2h0.ptb.ps1

    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

  • memory/1704-88-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1704-80-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1704-79-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/1704-78-0x0000000000400000-0x0000000000460000-memory.dmp

    Filesize

    384KB

  • memory/3700-11-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3700-16-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

    Filesize

    8KB

  • memory/3700-17-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3700-15-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3700-13-0x0000019FCA030000-0x0000019FCA7D6000-memory.dmp

    Filesize

    7.6MB

  • memory/3700-12-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

    Filesize

    10.8MB

  • memory/3700-0-0x00007FFFFDBF3000-0x00007FFFFDBF5000-memory.dmp

    Filesize

    8KB

  • memory/3700-10-0x0000019FB0F80000-0x0000019FB0FA2000-memory.dmp

    Filesize

    136KB

  • memory/3700-91-0x00007FFFFDBF0000-0x00007FFFFE6B1000-memory.dmp

    Filesize

    10.8MB