Overview

overview

10

Static

static

4ef8ca1609...55.exe

windows7_x64

10

4ef8ca1609...55.exe

windows10_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4ef8ca1609ef52a9a30bcc7e87083b55.exe

  • Size

    681KB

  • MD5

    4ef8ca1609ef52a9a30bcc7e87083b55

  • SHA1

    d2f204852ab8b8d19288eef03549c87cfb9fbda9

  • SHA256

    aa0391688fb348eaa32856bcf0caca596177985f4dd9733f69ab2018ba8d1ff7

  • SHA512

    991ad0bf136825f3c46a748aca349a4a0dd007fe0b72aaff631978f2a2682d8aa12457f7c6df20733dedad919b4606b1c0731a413c75be51289a2f4896c2ec4a

Score
10/10
vidardiscoveryspywarestealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4ef8ca1609ef52a9a30bcc7e87083b55.exe
    "C:\Users\Admin\AppData\Local\Temp\4ef8ca1609ef52a9a30bcc7e87083b55.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1080
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:1456
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:1520
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:536

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

2
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    b546f0345b342336c17e5308953a0523

    SHA1

    b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e

    SHA256

    844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec

    SHA512

    f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    8a0f138687887daf41a1d0647b63d3f8

    SHA1

    f95462b13e7091e1f7ad33130b6a8a340e6bf35c

    SHA256

    cf22e7479cd0e2548f21f24b5fac7960c26ff98a34ef78a8e804775b66b1ada5

    SHA512

    04de7932672b82584daa39681767159474fc2bf33ab8f9bdf38c6403f89e765e83d6228b5da16058829eb17b6bf5c632c544411a400085d5cc7fb3920bbd9d67

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\s7iy1jn\imagestore.dat
    MD5

    e0bf1a6766d82121595a186af3587abb

    SHA1

    0b74bcdd1f0d4a8ea8c10716e480d5cc40534b38

    SHA256

    cbd8821d7893e8ef18a0f02b3d486421b3ca11ffdb3d591df307a5444fb4ae5a

    SHA512

    4f976f1667efe79b5f928501916a0b0196929206668aefedc05d310761c735fd5be38cda8d2df83016a88ea9ae4025f4a381c122b400c324bcd54507f04c41ba

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YI7L9ECR.txt
    MD5

    842a07e2143b8c222f4b976a70f57cfc

    SHA1

    175f73cd876b9ff3e645ce14fd19469104bb64b6

    SHA256

    18e938cc5eaa2112ac58d1e2e1edfce84c0ba2abbac7a1b6f08031a039fc958d

    SHA512

    1d04a8a497ae1cbf0893aed34eeb7bf2980ed0c18c6a3ea4cee99c7c40d445e504a0a324783bc0763974c19bd03118afa06c50ab3f6841b0f3af0ac80a889114

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    b546f0345b342336c17e5308953a0523

    SHA1

    b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e

    SHA256

    844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec

    SHA512

    f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    b546f0345b342336c17e5308953a0523

    SHA1

    b2c4bb0a6a3f19b70f078ca4e9dd4cdd66d7848e

    SHA256

    844416ef0674d50b0c579e1d95ed7ac729d5c553b26770764d4e609fb94e94ec

    SHA512

    f866163aabfcbde5b7da25e937799b35f6f7e0619cc88e69d23719f843815f23bf5dd253b4a3a9428909cecd9f7df3d02ec313e163bad1a40ed599a32be1e27d

    Download Submit
  • memory/536-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1088-6-0x000007FEF7800000-0x000007FEF7A7A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1456-8-0x0000000001EC0000-0x0000000001ED1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1456-7-0x000000000058B000-0x000000000058C000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1456-2-0x0000000000000000-mapping.dmp
    Download
  • memory/1520-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1640-5-0x0000000000000000-mapping.dmp
    Download