Overview

overview

10

Static

static

464464b0f2...34.exe

windows7_x64

10

464464b0f2...34.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    464464b0f26f533bb0c6f48a744bf334.exe

  • Size

    685KB

  • MD5

    464464b0f26f533bb0c6f48a744bf334

  • SHA1

    91f80b92ade33c48e74c587a2e9c51d164d81dd8

  • SHA256

    fcac1c6c86cda94817da16feb772744ab591e3d1192955b32b074034ea122bf1

  • SHA512

    fa96a422461391481fdf41a30175f3e2adc5add8fad5b9fc1bb4ac60250998342ad8be5b932dfb58d36c5d0a9e5c1c7537d679908b47398026e99661ede9442e

Score
10/10
vidardiscoverystealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Runs .reg file with regedit 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\464464b0f26f533bb0c6f48a744bf334.exe
    "C:\Users\Admin\AppData\Local\Temp\464464b0f26f533bb0c6f48a744bf334.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1900
    • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
      "C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:1980
    • C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg
      2⤵
      • Runs .reg file with regedit
      PID:1180
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1776 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:460

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    1f6e2424d4cef4fb05c640df6b1bef80

    SHA1

    9f6682868a01f4c219fdc277df8f44d9f3df30fc

    SHA256

    c86e72d4f676982b9d3b79343d29f604a3402c42bb6f38a672f5162191627990

    SHA512

    c7511146d3603b395b65cc66a239142ca1c16a2498d6e901c311328bc2d8f29ec9b2151b239fce13ab90148d24cb45f0794cd13592827f5cc4209a918fe66769

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    4a766071eeea7aac8c865b2e49bdbde1

    SHA1

    84781e5eca1c71acf61385c6181426a676cf0965

    SHA256

    5f8f127c255421537dae84d42c7a7d30fee47ffe1978c53f113e37b3918d1fec

    SHA512

    292b578cfb684664aab7aac17cdd2d9bde40d5696f9238d2eccf4a08c5883c6e54923690889e44970e87e47e16e716d59c436bb02f8b00d190750c769dcc4acf

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
    MD5

    82fabbbf4c759686c6f71bbe840b201f

    SHA1

    9280b6093c8cfd9556accfb0ff36642b7fe2f1ad

    SHA256

    7ccc9dad56da911a906ff70e125801f955ba4f1aa0aa2ff27359e292e0c1b706

    SHA512

    80d3aa4b0a4406c792440b069d2a2083eb86a20637af8b863d8908882e1b9e7ce818ca33725ab186adcd4efc2db7b27ec8712edab1917df30d4fb769e0a620cf

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K532L4H8.txt
    MD5

    9f1eb2693490facfa6324b5814fe7398

    SHA1

    cfac4b90d399da02b88e92910222ebfa9187d069

    SHA256

    bd49a28b5d84d5dd51bf3ea57f004ef9a2887d77d884b1fc8bee59fcd999b015

    SHA512

    4fc04c93eae289d36e45e5416d70428e5da2ee1845d6bc5d079db064f27796eb63b2feba44c76d5b2be711c090aab9632aa9d9c2227d0ca08523f963ac5f8c0d

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    1f6e2424d4cef4fb05c640df6b1bef80

    SHA1

    9f6682868a01f4c219fdc277df8f44d9f3df30fc

    SHA256

    c86e72d4f676982b9d3b79343d29f604a3402c42bb6f38a672f5162191627990

    SHA512

    c7511146d3603b395b65cc66a239142ca1c16a2498d6e901c311328bc2d8f29ec9b2151b239fce13ab90148d24cb45f0794cd13592827f5cc4209a918fe66769

    Download Submit
  • \Program Files (x86)\wotsuper\wotsuper\wotsuper.exe
    MD5

    1f6e2424d4cef4fb05c640df6b1bef80

    SHA1

    9f6682868a01f4c219fdc277df8f44d9f3df30fc

    SHA256

    c86e72d4f676982b9d3b79343d29f604a3402c42bb6f38a672f5162191627990

    SHA512

    c7511146d3603b395b65cc66a239142ca1c16a2498d6e901c311328bc2d8f29ec9b2151b239fce13ab90148d24cb45f0794cd13592827f5cc4209a918fe66769

    Download Submit
  • memory/460-9-0x0000000000000000-mapping.dmp
    Download
  • memory/1180-4-0x0000000000000000-mapping.dmp
    Download
  • memory/1776-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1792-6-0x000007FEF5AE0000-0x000007FEF5D5A000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1980-8-0x0000000000D00000-0x0000000000D11000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1980-7-0x0000000000A88000-0x0000000000A99000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1980-2-0x0000000000000000-mapping.dmp
    Download