Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
5Timrex Per.../1.exe
windows10-2004-x64
7Timrex Per.../2.exe
windows10-2004-x64
7Timrex Per.../3.exe
windows10-2004-x64
7Timrex Per...rm.exe
windows10-2004-x64
6Timrex Per...ls.bat
windows10-2004-x64
1Timrex Per...n].bat
windows10-2004-x64
1Timrex Per...gs.vbs
windows10-2004-x64
1Timrex Per...ol.exe
windows10-2004-x64
5Analysis
-
max time kernel
20s -
max time network
23s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 11:35
Behavioral task
behavioral1
Sample
Timrex Perm/Timrex Perm/Download this first/1.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral2
Sample
Timrex Perm/Timrex Perm/Download this first/2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Timrex Perm/Timrex Perm/Download this first/3.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral4
Sample
Timrex Perm/Timrex Perm/Perm.exe
Resource
win10v2004-20250129-en
Behavioral task
behavioral5
Sample
Timrex Perm/Timrex Perm/Serial checker/Timrex Serials.bat
Resource
win10v2004-20250129-en
Behavioral task
behavioral6
Sample
Timrex Perm/Timrex Perm/Wifi & Bluetooth disabler/Disabler [Run Admin].bat
Resource
win10v2004-20250129-en
Behavioral task
behavioral7
Sample
Timrex Perm/Timrex Perm/defender control/Defender_Settings.vbs
Resource
win10v2004-20241007-en
General
-
Target
Timrex Perm/Timrex Perm/Download this first/3.exe
-
Size
4.2MB
-
MD5
339fe5621a6f481b823b21b6584c72d0
-
SHA1
8681ab09b386acbed0570480d54cd04edfed7a20
-
SHA256
9ad7e69763b7391791a92fba39fbfadfa3aa69d50a7801d2edc01f00d3577c9a
-
SHA512
e21bee36d6900680a57353282d98abb55e9513c27cc95be76b502b2ce94e1debb0a1cb478cbc803d6ecf366bbad070a4d8d3cc3068f8eeb963143f11f2caf351
-
SSDEEP
98304:9EbikxfQ6Fcg4r3n38Y3cTe7KLxGpvgGyLR4nweLSPbm1lztkmiZnv3wO5:0xfzcD3n38Y3ue7+xG5gNLRNkt5Ev3T5
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation 3.exe -
Executes dropped EXE 1 IoCs
pid Process 3180 vs_setup_bootstrapper.exe -
Loads dropped DLL 21 IoCs
pid Process 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe 3180 vs_setup_bootstrapper.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vs_setup_bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language getmac.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString vs_setup_bootstrapper.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz vs_setup_bootstrapper.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3180 vs_setup_bootstrapper.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3600 wrote to memory of 3180 3600 3.exe 86 PID 3600 wrote to memory of 3180 3600 3.exe 86 PID 3600 wrote to memory of 3180 3600 3.exe 86 PID 3180 wrote to memory of 368 3180 vs_setup_bootstrapper.exe 87 PID 3180 wrote to memory of 368 3180 vs_setup_bootstrapper.exe 87 PID 3180 wrote to memory of 368 3180 vs_setup_bootstrapper.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe"C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first\3.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\AppData\Local\Temp\Timrex Perm\Timrex Perm\Download this first"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\SysWOW64\getmac.exe"getmac"3⤵
- System Location Discovery: System Language Discovery
PID:368
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize18KB
MD56240940009abe0240203a943741f22b2
SHA121d7eaa572a701d2c463f1421b1b4dbb4355e91d
SHA25662d8143505b130e7dcd2488384c19827787f9370c132d0c05957e16c28c70447
SHA5124360785a85aa89aa303fb5a4e15233287457b6c46fb0a96e25b89703cc305fe76d0424fc93187da9dc25596b75c33ac9cc171ae37d599b0d914a3e22b0f0f9ea
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize115KB
MD57ee93c9293b25b94360c0bb61a0978d3
SHA12cd3c71473da6f2cff01f63ea3245e0c7794d15c
SHA2567424bdcd743c2784e4043f7c489697b6cae3c7dae17b7190967b5522dd3d9bb7
SHA5120523a771b3685604aab6088d194be5c3555011bd9a57f622f12fba1c6749f7974fc358563a54a85932dfd5be7cf342148fc972bbbabad5d8a5f421fd2e6ca367
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize46KB
MD5355c1a112bc0f859b374a4b1c811c1e7
SHA1b9a58bb26f334d517ab777b6226fef86a67eb4dd
SHA256cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed
SHA512f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize581KB
MD5b952eda0274f5fe9651312bbdbd35c36
SHA1a1ca4f102124ffed512b2fd818ef21f29a094f95
SHA256e8028eb8af8ccc9b78fc688c96e91eb45add8d9f72ce90c365a1eab1f812fe08
SHA5128192b534adc3442ab23f8c040c4b67a907125ea86ee3f9e6b65f80aa731242b53e174eb394a05599b0e50f6f435f26b93c99b363adcf16724edf83917db79e9e
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize307KB
MD5484742c8c65f83e4b272692fa7badb3c
SHA1fa16f4159547404ade16f8c1abcc8f6978da9abd
SHA25678531f435198f0b0e0170f1b2d683e7785e5c1ad133b76b6b471a036d6e1d4ac
SHA5121f47ef544ac5837766befebabab6d8122e3e28aef68e877794fa8ef9ca9583be011386c1eb8fbb566cea40b32b9268f3880f3f8f3c9ff8c78b0b3015d99a775c
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize1.4MB
MD527f5c28bb57287a8f0187d7eee17bda8
SHA15b04cd155ee665609cc10c7e8cb72951843d3a5e
SHA256cc3219b8b031286813871debe27e4d1ed3b2d8caac612d30c8a2cfca4806f41b
SHA512d9973d51adcf9b683a1a67844fb81c796346fbe268ad4d85b91b02dd06bb584903ca5bb9588ac64118e8893203c1bb3ddf1a6d1246032c3fd9a82b189f82ecd9
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize950KB
MD5903f254110813906331bef23e680bb9d
SHA16e4adfae4281d0b5bd0d8efd8f8eb919e974bd7d
SHA256148081b9aaaee96125f7d2f09acffb95d7ce1c50d4e7b4b3ca8f3e372e2b8425
SHA512150f5b438199faf8922390bc2cf93684de4a134e9c82f0e608954f02c47f630c8be22afe0349bd049bb1bc57dcd0951f9cf119713087940a769e076bae00c662
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize62KB
MD52dc1dc66b267a3470add7fab88b78069
SHA1dbe80047475b503791038ed7e47389c062c15c72
SHA256b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c
SHA51244ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21
-
Filesize
695KB
MD5195ffb7167db3219b217c4fd439eedd6
SHA11e76e6099570ede620b76ed47cf8d03a936d49f8
SHA256e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d
SHA51256eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac
-
Filesize
138KB
MD5f09441a1ee47fb3e6571a3a448e05baf
SHA13c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde
SHA256bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f
SHA5120199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize17KB
MD5c610e828b54001574d86dd2ed730e392
SHA1180a7baafbc820a838bbaca434032d9d33cceebe
SHA25637768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf
SHA512441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396
-
Filesize
8KB
MD5782f4beae90d11351db508f38271eb26
SHA1f1e92aea9e2cd005c2fb6d4face0258d4f1d8b6c
SHA256c828a2e5b4045ce36ecf5b49d33d6404c9d6f865df9b3c9623787c2332df07d9
SHA5120a02beeca5c4e64044692b665507378e6f8b38e519a17c3ceccca1e87f85e1e2e7b3598e598fc84c962d3a5c723b28b52ee0351faaec82a846f0313f3c21e0e4
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize620B
MD59782b354e186ed3fefa10faeff60a200
SHA1b87892f0ecf152be15a1db482cdffa6ce095fa54
SHA256cff9e299fc76c8a40e873da6b2105090e3c6b77f5d1e3157bccbfcb1a4773db7
SHA512d8e93674078fc865fac98f0186f62c55a9f16441568774bf173f2d80a02bed9f136cdf2658b563ed6f2aec16af5dfb32ac0e8e9e5e54c6e77929df48012f1df0
-
Filesize
404KB
MD5e24ef04ddb8a5474314d34cbd3ffa0c2
SHA1399b9c3336116df479793d322f8c1e884e154fff
SHA25649fc3ec8ab51c8f05591ee0ff0d9040bed994dbc3ef9a417a188c6d69a56952f
SHA5127e845f995cf5bc448f9accf4bc6a9c26a1354ec72b138348e0d474465a101cc77ff4f2801c1b58e48819053f80e7fdb0d0cf25664c2483314cb33b0d312d67e8
-
C:\Users\Admin\AppData\Local\Temp\10dea8aeb1fef54b57\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize3KB
MD572f9933c6e247a13353d9725cd22c2da
SHA15b76599644e7c70cd5f08e5a80cec225c891a9da
SHA2561f423b67ee6ca6a714507ab08fbd383b6d442bd98d321f0a640d533d5a516650
SHA512afc7b5959506d197246fb482b0a2ca8f1ebfb5957234e547151d1e7a40047a2974768ccdf5c321a984685d99d4f7a1b0fbfb7fe81c40387a229808e45814a6de
-
Filesize
162B
MD5ad891c3b02a02419dc60db8c273a8315
SHA1141a08ca0e25d56bdb35fc71e1c767667079114a
SHA256186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7
SHA51264cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f