Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
65s -
max time network
71s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 22:03
Static task
static1
General
-
Target
index.ps1
-
Size
34B
-
MD5
d83c49ed6318ba5e402c311cd7e55c3f
-
SHA1
50520860840fab9b9aebf90b3e16f2466613d5d0
-
SHA256
e4b94bbbc90229ebdfc4a28028890d73fc085f460e9dac460bb4192417b4d7d3
-
SHA512
eb747e268fde9971416c156267a17a698e0a10209b48a75b2b77987fadc496b82e18e8441ccaac854feb37d828868e70469e45c4549db8587e01d171fc444e10
Malware Config
Extracted
vidar
fc0stn
https://t.me/w0ctzn
https://steamcommunity.com/profiles/76561199817305251
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Signatures
-
Vidar family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 11 3700 powershell.exe 17 3700 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2516 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2516 set thread context of 1704 2516 updater.exe 93 -
pid Process 3700 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ powershell.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3700 powershell.exe 3700 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3700 powershell.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 3700 wrote to memory of 2516 3700 powershell.exe 91 PID 3700 wrote to memory of 2516 3700 powershell.exe 91 PID 3700 wrote to memory of 2516 3700 powershell.exe 91 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93 PID 2516 wrote to memory of 1704 2516 updater.exe 93
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\index.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\3a98d52f-d7c8-4f2e-be12-39e2ff7f54f9\updater.exe"C:\Users\Admin\AppData\Local\3a98d52f-d7c8-4f2e-be12-39e2ff7f54f9\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1704
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD52a7ec240fa5e25c92b2b78c4f1002ea0
SHA1bca1465b8bafa5fe58d96d4289356d40c3d44155
SHA2562c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca
SHA512dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82