Overview

overview

10

Static

static

34312d5802...27.exe

windows7_x64

10

34312d5802...27.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34312d5802b854fa88dc661a8aa29c27.exe

  • Size

    690KB

  • MD5

    34312d5802b854fa88dc661a8aa29c27

  • SHA1

    56aee5314c2e0c1077373fe02b8e59fb8882e6ff

  • SHA256

    06c470803b445fa48419f5840100b63e2248b72e64c6c0ef47c44c07ff36d2a9

  • SHA512

    208ab88d7ce7b789a5fc484c2a8fc643eb6481ae90394e92fbd0946ea84e10c53a01a06a13644188a3b99df6faeb35a7e7b5244e42183d60f49d09f5a97c407a

Score
10/10
vidardiscoverystealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34312d5802b854fa88dc661a8aa29c27.exe
    "C:\Users\Admin\AppData\Local\Temp\34312d5802b854fa88dc661a8aa29c27.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1704
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:2012
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:1496
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2040
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2040 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    69e5ed9aec279294e34997335ee6f993

    SHA1

    e898b197130899b18ef1bc27850a07f06f049ed2

    SHA256

    9236112b57ba34cec82e251450eab5e12e6f15796b3fb98f8dc77c4937cf1c2a

    SHA512

    f8a9593fd3d4be8cdfc7c39277056625821118bc9d83a4fe59f48883f6d6ac2a82257c5443a0b94ec924faa5c2a5dcd2a0a91596de3e3a6c6157f024e1918735

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    140bf2f6e09b7463d9e94b1bc6f20e91

    SHA1

    02c616874475cb82e17d275db14811922880c67a

    SHA256

    cf8da18653947af067adeafe93bd2a658aeb51a2c5b1baf2016c4810aeecd2a1

    SHA512

    b211b4fe83b779bdd1e7668a7efe6d39e54739a173e6e1f95c8c5b37169ce412eaafabf7bf22dc1259e146f9bc9c00122b318489db0f76679b3dcd7eef2f53d3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    fabc31135334e2efef63a74af145c127

    SHA1

    f3728ed68abd618b0bd1688e6feefd2b4e7de4d0

    SHA256

    73bd5852924a2171e0ef61532a8080568842655e3fd1df114ffe0d5823918eb7

    SHA512

    b271a0199b8851956324df730660b86f86472d467036c601d71c9152b3b6bac4b526ec93d58b24b2d91a623734bbf98f31032ad040a2dc64d693d853ee3430c3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FPMUGBD4.txt
    MD5

    90c96cc4a7bfa1d31ca554c4fa87fea5

    SHA1

    2c983a3936299015e7ed57884d9cecc817085210

    SHA256

    bfdefd285df8cbea0184122a3b96f8d5d6359256240143bcb6d8fb6539695a8c

    SHA512

    c021240c2a819e5ead30112b2b126a3c87781a80177c377a997f669b43de7b9ecf3a9487dc35120cd101a646cb16e5663cfc6ebfbb05ae1116d4f41cd0499b96

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    69e5ed9aec279294e34997335ee6f993

    SHA1

    e898b197130899b18ef1bc27850a07f06f049ed2

    SHA256

    9236112b57ba34cec82e251450eab5e12e6f15796b3fb98f8dc77c4937cf1c2a

    SHA512

    f8a9593fd3d4be8cdfc7c39277056625821118bc9d83a4fe59f48883f6d6ac2a82257c5443a0b94ec924faa5c2a5dcd2a0a91596de3e3a6c6157f024e1918735

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    69e5ed9aec279294e34997335ee6f993

    SHA1

    e898b197130899b18ef1bc27850a07f06f049ed2

    SHA256

    9236112b57ba34cec82e251450eab5e12e6f15796b3fb98f8dc77c4937cf1c2a

    SHA512

    f8a9593fd3d4be8cdfc7c39277056625821118bc9d83a4fe59f48883f6d6ac2a82257c5443a0b94ec924faa5c2a5dcd2a0a91596de3e3a6c6157f024e1918735

    Download Submit
  • memory/1248-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-6-0x000007FEF69C0000-0x000007FEF6C3A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/2012-8-0x0000000001F10000-0x0000000001F21000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2012-7-0x00000000005CB000-0x00000000005CC000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-2-0x0000000000000000-mapping.dmp
    Download
  • memory/2040-5-0x0000000000000000-mapping.dmp
    Download