Overview

overview

10

Static

static

57f144a367...71.exe

windows7_x64

10

57f144a367...71.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    57f144a367aad10f85ac746fde7e9571.exe

  • Size

    503KB

  • MD5

    57f144a367aad10f85ac746fde7e9571

  • SHA1

    d4b7744b503b11e7a82564953e4179ba36bd9c5c

  • SHA256

    3a7f7b56d9b3c6996f00bd40b7ff5d70e0ce858fc76cc0d89f603a26c34e9e5c

  • SHA512

    11fe3ef1fbc6218693ecc1afa88b0cefedc72b1b1800fba430cf547401d8f3860a206b67f050fe06b30a7aeeb7cdebf4d6e4afe311aca989e8a775c75853d96b

Score
10/10
vidardiscoveryspywarestealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\57f144a367aad10f85ac746fde7e9571.exe
    "C:\Users\Admin\AppData\Local\Temp\57f144a367aad10f85ac746fde7e9571.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1848
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1388
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:1992
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    06077cafcb7bfc014cbaf6f86de3e135

    SHA1

    edac330e5d9ae292092f74f4353d6354617d0047

    SHA256

    4f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb

    SHA512

    a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    856180e17f478834cc59f08ee0c8b925

    SHA1

    350f357d3ded2b318ffd8d2e56f641b9ae9c0863

    SHA256

    11816fac652743f9d02de4e4309c63fda043514aaedd5fedd96319090f586196

    SHA512

    5560084a8f9dcf99f8207051dc962377730b7a6aae8ca33914f07250c422fbbdff59511b49597939b7b69a8ea6090abb22b080e3b204a857c1e82915e1b3c9e1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    a4b9dac58ea280565d941bfc2f899eb1

    SHA1

    502e406a763a9a5de3578bfdfdcae1460343213a

    SHA256

    3e4eb0815379761bbf738f0ece3c7642e109ddae746652fa77d777aec1e01be7

    SHA512

    e795085d547b66433f6183f39cd61bb081cbf1e06f471a2d464a47935242fba8dda64a2775163bad9e631a15fff704bda609a6a8fc44e07aa420fc0893897556

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3QQI2ZX8.txt
    MD5

    b898545c3920dec0aedc29627b79caf3

    SHA1

    10d6e131f2c2c75d4525be92e2f345a2dfb62214

    SHA256

    c658c99cef3daf908a836b105d62e6526f626bb3dfa659ec7bd81584d9a8531d

    SHA512

    5e62e21828cbdf7c3ad7110c001f09f8e959882fa1a0b3b7280751b014b75d56e81a63b9ce17380202ec294e8a97088878dc84b8699b94e84797ea8e7b25def5

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    06077cafcb7bfc014cbaf6f86de3e135

    SHA1

    edac330e5d9ae292092f74f4353d6354617d0047

    SHA256

    4f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb

    SHA512

    a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    06077cafcb7bfc014cbaf6f86de3e135

    SHA1

    edac330e5d9ae292092f74f4353d6354617d0047

    SHA256

    4f1754d38419af7a4bb7eac503eabb4d4c8c6a5a6aab6327cf3a0eebfaecc0cb

    SHA512

    a0ef240723eeabc3a76e72a1a840cc4963ace8e2e7f5745f7c6043c1b6ae77c3a0f48516af0a129c531835f7dff2a3bbae46fefbe69a59f210b2ca835001fe51

    Download Submit
  • memory/1388-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1684-7-0x0000000000000000-mapping.dmp
    Download
  • memory/1784-6-0x000007FEF6680000-0x000007FEF68FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1988-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1992-4-0x0000000000000000-mapping.dmp
    Download