Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 20:41
Static task
static1
Behavioral task
behavioral1
Sample
random.exe
Resource
win7-20240903-en
General
-
Target
random.exe
-
Size
10.1MB
-
MD5
c57c72458776a0b6a653f6c828c229f2
-
SHA1
2f993c6a8499b360dec51240d0b6c5faff561c80
-
SHA256
d7d05573e26cf40978ecbccb62c1adaf4c2363f5463cc96dc50765da6157aff6
-
SHA512
5678f7bf398e944d9d60876cb3dad8114c0ea71604488c72ba0f0e552629c5a231aa0b1be7b9459921486061656fa7741bd9b8379c457ae3db943d738bfb5cb0
-
SSDEEP
768:BQYZRf5c58TQppBw0t/9edP/IX6X/Ab0t/9eR:sdo/GX6Xk/R
Malware Config
Extracted
vidar
https://t.me/m08mbk
https://steamcommunity.com/profiles/76561199820567237
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Signatures
-
Vidar family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 6 4828 random.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4828 set thread context of 4756 4828 random.exe 93 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language random.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4828 random.exe 4828 random.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4828 random.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 4828 wrote to memory of 628 4828 random.exe 86 PID 4828 wrote to memory of 628 4828 random.exe 86 PID 4828 wrote to memory of 628 4828 random.exe 86 PID 628 wrote to memory of 468 628 csc.exe 88 PID 628 wrote to memory of 468 628 csc.exe 88 PID 628 wrote to memory of 468 628 csc.exe 88 PID 4828 wrote to memory of 1340 4828 random.exe 89 PID 4828 wrote to memory of 1340 4828 random.exe 89 PID 4828 wrote to memory of 1340 4828 random.exe 89 PID 1340 wrote to memory of 2752 1340 csc.exe 91 PID 1340 wrote to memory of 2752 1340 csc.exe 91 PID 1340 wrote to memory of 2752 1340 csc.exe 91 PID 4828 wrote to memory of 1148 4828 random.exe 92 PID 4828 wrote to memory of 1148 4828 random.exe 92 PID 4828 wrote to memory of 1148 4828 random.exe 92 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93 PID 4828 wrote to memory of 4756 4828 random.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\random.exe"C:\Users\Admin\AppData\Local\Temp\random.exe"1⤵
- Downloads MZ/PE file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z4db0ibz\z4db0ibz.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA180.tmp" "c:\Users\Admin\AppData\Local\Temp\z4db0ibz\CSC9B9AF9B9A67B40B58FD71CB51993CBB.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:468
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b5ufuqxg\b5ufuqxg.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3A2.tmp" "c:\Users\Admin\AppData\Local\Temp\b5ufuqxg\CSC2A72B5BB82A4410783F974C5A478A7D9.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:2752
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:1148
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4756
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51d993cd15452c8407eab2d335ca72791
SHA1ae19f317d8ee300d0cdc640819f85c8fe5ecfcf7
SHA25699aba62237730f3e14d2ac37259c6a3759cdad99c6bfddf62e9e88cd779f480c
SHA512804b4e78bf79ef91a3fa7a651de5d1a2d80509b65dd7242371987b221bc0968dfdff2d13b0e2d5be532b0eb15ff926a425084ce54f46d96388b557347dc02677
-
Filesize
1KB
MD5cd4f1460abcebed7477c7a8ed5a100b9
SHA1ee8400dcf5b2d787a7b3a5341c00c1c6ebb1ed75
SHA256759a92500b1282ba5090de1291c01e61c8086ef66fc517ee40c2d18224bf1778
SHA512c3eccfe32bea3dad906109c6c8547d202189e55a4efbd07b0ef42295c644ad2354124a3c3491cef308dc68bfc3163ef6b69568c105952f0ca397ccc9cd2a5389
-
Filesize
9KB
MD51e3c112d7c5634787e939f947db1884f
SHA12ec8eaa0564ce388f6ae72698e3a317259c1128d
SHA2569ae04be9cdba00ca88e6b35e746a62d06b226a59f06146a2b63f2d6c964a40fc
SHA512e29f73e98aab26f18ce7e5f7b8b9df3944eecc2c6487dca8f843ca80af49f1eeda32bf98d0380ca50198213d51467b5b498599521714f5bb865bfa6af633c6be
-
Filesize
4KB
MD5e762d18b7f41e0a5ac88d05e482d2f62
SHA11c2759695af0e08744df3fb14560f84d5e7e352b
SHA256d724f52f9d4a69b65f120c8a28d15e51bcbae17eb5184030b001562a01e6ec99
SHA512705639a844ecb7b0340cdcbc60de6f86aca234f74481fddc6c029d8e71e4f84e229e2153eccbb791812ea6417049ab65f7b8187bab1f3912786037a40a0f0828
-
Filesize
652B
MD56f7fdc52955a69e8b7133d4117b8f8cd
SHA12d68c8e81703d596e8a21504cf6440609cd713ae
SHA256b9d2e260ce22c4314c1f5fe7720caa26040ab0fb94100ece42eb4378ab42b059
SHA512b61d20c28b8647d08cf6b3a07594955c01f6da23340ea0306fdffe7f47a58eabe2a0bc294773c7296cc613294c35b17ca73923fcf7a95a6c3f2aba860068fd9f
-
Filesize
10KB
MD525a541023591d6659fdf70b9b47cd680
SHA125f3f446a942ca92570839b264833caf8d1af545
SHA256cd724f1cd5a32d624256313103ce9e63cb865cb3fb5b0aa887846f442c1da7cf
SHA512384d91f089537a6b6966702f575da596eb3b8ceb664e054334cb9c6f584ea5dce777c9a8284293120f2d320c465f08be17d4ad46ff7e210648dd86c2cee17dea
-
Filesize
204B
MD5018f4ccb9941a581bc6c939f852154e5
SHA19eae650143a879fc213646eabea18c4fc1f777b2
SHA256a242fec9e8de84d05f322ef92468f4f739e6ba1f5c2f305149a03ec60fb5d7a0
SHA512fc55607ab05405b7437fa8b433910f71080bea4076f1702fd6e2e33484b985a334f753355971649d5162dfe742a2bb2daf157cd0c53f7e3ff0d6e58b805a8b22
-
Filesize
652B
MD5b755e1abe6c84756cac22c8f445c352b
SHA1f2e39c16777199ad30b61a8f74a37708b8e0aa61
SHA2565f0ae8c01ec17da854b667841b0a5ccc55f1748621cc5777996dfb72463df98e
SHA512acaa918a5527a8989235570669c616863fbb01d78e58df5f662020615d4eadfa0d019895fe40a5957a1bac059e0f1103e68cb49978c9184ecbd5900158629754
-
Filesize
694B
MD58f52226e13685580215f3824bffd89e3
SHA143cc11a72726078c87adfecef4de4afca17b486d
SHA25691ed1efe34193539b51dbaabeff36493a3461ba8554b8f476b013e66d62d8f8f
SHA512167e208379d1bfc81117a3905e5a72e8aa782fe7cb87b3b153467671d99ff5777d5470f8f883946174627708a3635ef6c0b97c7f34b77148a06f2bd4917117f5
-
Filesize
183B
MD50b04f8c6136bd27a6e7c7dbdada79dd4
SHA199777d869230e2c7b2fddbb3e8b51a208923dd6a
SHA256bb7d20c5f569de7f07788a8e5e82ad45cc074c5b4f69394882d51376362f41db
SHA512715d2bfd0333f3fe2def0b365d879568f6a722bff2cf08ba1ecb6a82ddd77588692e2c8e0a8090f95d2f579bd6aaf83924443217c12778dc7c69bb7af7ad6fd6