Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

08/02/2025, 15:16

250208-snpk8stmaj 10

08/02/2025, 12:25

250208-plr2ssvjf1 3

Analysis

  • max time kernel
    44s
  • max time network
    46s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250207-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08/02/2025, 15:16

General

  • Target

    S0FTWARE.exe

  • Size

    16KB

  • MD5

    aab1f7428582ab8fd7e1875b1c76f5d5

  • SHA1

    052afd80cfa9061b462eac018b51ae9d1a4a9cd0

  • SHA256

    93b81fca5f62c8511d4901efea8b7c17db8d3cb46c26727c0713c74608af749c

  • SHA512

    d3d4a51b5358390af5f84b58de0310bc942ae8aa01b3ec262aec5be3c6f0940b6900c56ba1589c252b7825e74ef67b6bcc80f2c927f32fa75316f73c46cdf5c2

  • SSDEEP

    384:lAbhV0ZFn9jbHzBbIXWy0ZEdcTn/dqLkLZc:eroFbZvdqLIO

Malware Config

Extracted

Family

vidar

C2

https://t.me/sok33tn

https://steamcommunity.com/profiles/76561199824159981

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0

Signatures

  • Detect Vidar Stealer 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe
    "C:\Users\Admin\AppData\Local\Temp\S0FTWARE.exe"
    1⤵
    • Downloads MZ/PE file
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5104
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\VMSADWB'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3284
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\VMSADWB\bothkklasda.exe
      "C:\VMSADWB\bothkklasda.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3136
    • C:\VMSADWB\botyhkskfkr.exe
      "C:\VMSADWB\botyhkskfkr.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C schtasks /create /tn MyApp /tr %APPDATA%\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:828
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn MyApp /tr C:\Users\Admin\AppData\Roaming\service.exe /st 00:00 /du 9999:59 /sc daily /ri 1 /f
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:1180
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjRBQ0JBRTktMTRDRS00QTMzLTkxNzktQjExM0NCMDIyQkE4fSIgdXNlcmlkPSJ7N0ZDQkIyMEItNjU2RC00M0IwLUFFMTAtNkNBNEU4MTZFMzIxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODc1NTRDM0MtNUU4RC00MjRELUIxODUtMTJGMkVBOTBENzVBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMSIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzAxODEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDcxNTQwNjE0OCIvPjwvYXBwPjwvcmVxdWVzdD4
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4712
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3468

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      2KB

      MD5

      f9349064c7c8f8467cc12d78a462e5f9

      SHA1

      5e1d27fc64751cd8c0e9448ee47741da588b3484

      SHA256

      883481fe331cb89fb6061e76b43acd4dd638c16f499b10088b261036c6d0547b

      SHA512

      3229668491b5e4068e743b31f2896b30b1842faf96aff09fad01b08771c2f11eb8d8f02a3b76e31f0d6ad650c2894c5ac1822204e132c03d9c2b8df6ca4cd7cf

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      21KB

      MD5

      14caec1468b940973abb5795894b06b6

      SHA1

      b5ddfc9e592efdd9e945edc674234ca492584ac2

      SHA256

      3a7b0a95178dbe76e71fdba455452c7869986d9191216104ec085a1a4b428cdf

      SHA512

      6800f4e25c8a7e3b0a380c5c71ca1051e61a7d4f104aa7795a5d65118576497263368f9a1def62e4c332ed1ca6db52f94e884bc80603eb45ded48d2cf630fb24

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qqqk32e2.dvj.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\VMSADWB\bothkklasda.exe

      Filesize

      120KB

      MD5

      807dadd8710a7b570ed237fd7cd1aa4b

      SHA1

      d0e3a3a2b73bb2f3374a58914c8e35034ed5744d

      SHA256

      7e18ae103ce6fd596459cf0d5fc49832cdbd19a5780b0f2db934c2b649bc2080

      SHA512

      2270262a8bfe23ce2fac23e7208113be2fec093c3edd7aec456df6738cb19c02d5955c33d64df766154967d28a32947368bb2efaa6ec742031db07bce470d7f6

    • C:\VMSADWB\botyhkskfkr.exe

      Filesize

      28KB

      MD5

      753175a2a378c1448b5e6946d2421599

      SHA1

      1a856255b7868a050cebc02845e4af6acb3912ef

      SHA256

      2a216550fb6ef956beb4029c2c18049a1c66cc271470a09c3b0b6103440e7280

      SHA512

      07e2c0c976c288d3ed0ffe370f6b5538df2c89edc52a21f6025996135d8e4143341e8a0322f7acbb83b9a6c7bae7c88a492aa39c73c88b21bcce19404f133fb3

    • memory/464-51-0x000000006F040000-0x000000006F08C000-memory.dmp

      Filesize

      304KB

    • memory/2912-85-0x0000000000400000-0x000000000040E000-memory.dmp

      Filesize

      56KB

    • memory/3136-72-0x0000000000400000-0x0000000000422000-memory.dmp

      Filesize

      136KB

    • memory/3284-21-0x00000000065E0000-0x0000000006612000-memory.dmp

      Filesize

      200KB

    • memory/3284-35-0x0000000007340000-0x000000000735A000-memory.dmp

      Filesize

      104KB

    • memory/3284-19-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

      Filesize

      120KB

    • memory/3284-20-0x0000000006020000-0x000000000606C000-memory.dmp

      Filesize

      304KB

    • memory/3284-4-0x0000000004980000-0x00000000049B6000-memory.dmp

      Filesize

      216KB

    • memory/3284-22-0x000000006F040000-0x000000006F08C000-memory.dmp

      Filesize

      304KB

    • memory/3284-32-0x0000000006FD0000-0x0000000006FEE000-memory.dmp

      Filesize

      120KB

    • memory/3284-33-0x0000000007000000-0x00000000070A3000-memory.dmp

      Filesize

      652KB

    • memory/3284-34-0x0000000007980000-0x0000000007FFA000-memory.dmp

      Filesize

      6.5MB

    • memory/3284-18-0x0000000005AF0000-0x0000000005E47000-memory.dmp

      Filesize

      3.3MB

    • memory/3284-36-0x00000000073A0000-0x00000000073AA000-memory.dmp

      Filesize

      40KB

    • memory/3284-37-0x00000000075B0000-0x0000000007646000-memory.dmp

      Filesize

      600KB

    • memory/3284-8-0x0000000005970000-0x00000000059D6000-memory.dmp

      Filesize

      408KB

    • memory/3284-7-0x0000000005900000-0x0000000005966000-memory.dmp

      Filesize

      408KB

    • memory/3284-6-0x0000000005090000-0x00000000050B2000-memory.dmp

      Filesize

      136KB

    • memory/3284-5-0x00000000050C0000-0x000000000578A000-memory.dmp

      Filesize

      6.8MB

    • memory/5104-0-0x0000000073AFE000-0x0000000073AFF000-memory.dmp

      Filesize

      4KB

    • memory/5104-2-0x0000000073AFE000-0x0000000073AFF000-memory.dmp

      Filesize

      4KB

    • memory/5104-1-0x00000000006A0000-0x00000000006AA000-memory.dmp

      Filesize

      40KB