Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
44s -
max time network
46s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
08/02/2025, 15:16
Static task
static1
General
-
Target
S0FTWARE.exe
-
Size
16KB
-
MD5
aab1f7428582ab8fd7e1875b1c76f5d5
-
SHA1
052afd80cfa9061b462eac018b51ae9d1a4a9cd0
-
SHA256
93b81fca5f62c8511d4901efea8b7c17db8d3cb46c26727c0713c74608af749c
-
SHA512
d3d4a51b5358390af5f84b58de0310bc942ae8aa01b3ec262aec5be3c6f0940b6900c56ba1589c252b7825e74ef67b6bcc80f2c927f32fa75316f73c46cdf5c2
-
SSDEEP
384:lAbhV0ZFn9jbHzBbIXWy0ZEdcTn/dqLkLZc:eroFbZvdqLIO
Malware Config
Extracted
vidar
https://t.me/sok33tn
https://steamcommunity.com/profiles/76561199824159981
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Signatures
-
Detect Vidar Stealer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000015c60-64.dat family_vidar_v7 behavioral1/memory/3136-72-0x0000000000400000-0x0000000000422000-memory.dmp family_vidar_v7 -
Vidar family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3284 powershell.exe 464 powershell.exe -
Downloads MZ/PE file 3 IoCs
flow pid Process 13 3828 Process not Found 18 5104 S0FTWARE.exe 18 5104 S0FTWARE.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Control Panel\International\Geo\Nation S0FTWARE.exe Key value queried \REGISTRY\USER\S-1-5-21-1549004827-922980081-1811511435-1000\Control Panel\International\Geo\Nation botyhkskfkr.exe -
Executes dropped EXE 2 IoCs
pid Process 3136 bothkklasda.exe 2912 botyhkskfkr.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 17 raw.githubusercontent.com 18 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language S0FTWARE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bothkklasda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language botyhkskfkr.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4712 MicrosoftEdgeUpdate.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 3284 powershell.exe 3284 powershell.exe 464 powershell.exe 464 powershell.exe 464 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 3284 powershell.exe Token: SeIncreaseQuotaPrivilege 3284 powershell.exe Token: SeSecurityPrivilege 3284 powershell.exe Token: SeTakeOwnershipPrivilege 3284 powershell.exe Token: SeLoadDriverPrivilege 3284 powershell.exe Token: SeSystemProfilePrivilege 3284 powershell.exe Token: SeSystemtimePrivilege 3284 powershell.exe Token: SeProfSingleProcessPrivilege 3284 powershell.exe Token: SeIncBasePriorityPrivilege 3284 powershell.exe Token: SeCreatePagefilePrivilege 3284 powershell.exe Token: SeBackupPrivilege 3284 powershell.exe Token: SeRestorePrivilege 3284 powershell.exe Token: SeShutdownPrivilege 3284 powershell.exe Token: SeDebugPrivilege 3284 powershell.exe Token: SeSystemEnvironmentPrivilege 3284 powershell.exe Token: SeRemoteShutdownPrivilege 3284 powershell.exe Token: SeUndockPrivilege 3284 powershell.exe Token: SeManageVolumePrivilege 3284 powershell.exe Token: 33 3284 powershell.exe Token: 34 3284 powershell.exe Token: 35 3284 powershell.exe Token: 36 3284 powershell.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeIncreaseQuotaPrivilege 464 powershell.exe Token: SeSecurityPrivilege 464 powershell.exe Token: SeTakeOwnershipPrivilege 464 powershell.exe Token: SeLoadDriverPrivilege 464 powershell.exe Token: SeSystemProfilePrivilege 464 powershell.exe Token: SeSystemtimePrivilege 464 powershell.exe Token: SeProfSingleProcessPrivilege 464 powershell.exe Token: SeIncBasePriorityPrivilege 464 powershell.exe Token: SeCreatePagefilePrivilege 464 powershell.exe Token: SeBackupPrivilege 464 powershell.exe Token: SeRestorePrivilege 464 powershell.exe Token: SeShutdownPrivilege 464 powershell.exe Token: SeDebugPrivilege 464 powershell.exe Token: SeSystemEnvironmentPrivilege 464 powershell.exe Token: SeRemoteShutdownPrivilege 464 powershell.exe Token: SeUndockPrivilege 464 powershell.exe Token: SeManageVolumePrivilege 464 powershell.exe Token: 33 464 powershell.exe Token: 34 464 powershell.exe Token: 35 464 powershell.exe Token: 36 464 powershell.exe Token: SeDebugPrivilege 5104 S0FTWARE.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 5104 wrote to memory of 3284 5104 S0FTWARE.exe 95 PID 5104 wrote to memory of 3284 5104 S0FTWARE.exe 95 PID 5104 wrote to memory of 3284 5104 S0FTWARE.exe 95 PID 5104 wrote to memory of 464 5104 S0FTWARE.exe 98 PID 5104 wrote to memory of 464 5104 S0FTWARE.exe 98 PID 5104 wrote to memory of 464 5104 S0FTWARE.exe 98 PID 5104 wrote to memory of 3136 5104 S0FTWARE.exe 101 PID 5104 wrote to memory of 3136 5104 S0FTWARE.exe 101 PID 5104 wrote to memory of 3136 5104 S0FTWARE.exe 101 PID 5104 wrote to memory of 2912 5104 S0FTWARE.exe 102 PID 5104 wrote to memory of 2912 5104 S0FTWARE.exe 102 PID 5104 wrote to memory of 2912 5104 S0FTWARE.exe 102 PID 2912 wrote to memory of 828 2912 botyhkskfkr.exe 103 PID 2912 wrote to memory of 828 2912 botyhkskfkr.exe 103 PID 2912 wrote to memory of 828 2912 botyhkskfkr.exe 103 PID 828 wrote to memory of 1180 828 cmd.exe 105 PID 828 wrote to memory of 1180 828 cmd.exe 105 PID 828 wrote to memory of 1180 828 cmd.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"1⤵
- Downloads MZ/PE file
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\VMSADWB'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\VMSADWB\bothkklasda.exe"C:\VMSADWB\bothkklasda.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3136
-
-
C:\VMSADWB\botyhkskfkr.exe"C:\VMSADWB\botyhkskfkr.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1180
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjRBQ0JBRTktMTRDRS00QTMzLTkxNzktQjExM0NCMDIyQkE4fSIgdXNlcmlkPSJ7N0ZDQkIyMEItNjU2RC00M0IwLUFFMTAtNkNBNEU4MTZFMzIxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODc1NTRDM0MtNUU4RC00MjRELUIxODUtMTJGMkVBOTBENzVBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzAxODEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDcxNTQwNjE0OCIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4712
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3468
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5f9349064c7c8f8467cc12d78a462e5f9
SHA15e1d27fc64751cd8c0e9448ee47741da588b3484
SHA256883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b
SHA5123229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf
-
Filesize
21KB
MD514caec1468b940973abb5795894b06b6
SHA1b5ddfc9e592efdd9e945edc674234ca492584ac2
SHA2563a7b0a95178dbe76e71fdba455452c7869986d9191216104ec085a1a4b428cdf
SHA5126800f4e25c8a7e3b0a380c5c71ca1051e61a7d4f104aa7795a5d65118576497263368f9a1def62e4c332ed1ca6db52f94e884bc80603eb45ded48d2cf630fb24
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
120KB
MD5807dadd8710a7b570ed237fd7cd1aa4b
SHA1d0e3a3a2b73bb2f3374a58914c8e35034ed5744d
SHA2567e18ae103ce6fd596459cf0d5fc49832cdbd19a5780b0f2db934c2b649bc2080
SHA5122270262a8bfe23ce2fac23e7208113be2fec093c3edd7aec456df6738cb19c02d5955c33d64df766154967d28a32947368bb2efaa6ec742031db07bce470d7f6
-
Filesize
28KB
MD5753175a2a378c1448b5e6946d2421599
SHA11a856255b7868a050cebc02845e4af6acb3912ef
SHA2562a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280
SHA51207e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3