Analysis
-
max time kernel
69s -
max time network
22s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
17-01-2021 13:48
General
-
Target
monthly financial statement.doc
-
Size
1.7MB
-
MD5
0675edf4c9212b83a850c75398f648e8
-
SHA1
d041f7d11a1da3a6d2db81cb84cce61c2c4e1281
-
SHA256
5f94fc16fc1729c7817f052cd6aaf7d1638aba942ef380b35a0003ec1f146439
-
SHA512
2cae441769260bdfca0a5a1ae6828e98281cfac3dc8c3e380e5390bd13a49251f1d224c00c0364cf649324364900fab9480edf946f221004c29fac9529d4b992
Malware Config
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Blocklisted process makes network request 5 IoCs
-
Executes dropped EXE 1 IoCs
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 6 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
JavaScript code in executable 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Windows directory 1 IoCs
-
Office loads VBA resources, possible macro or embedded object present
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Modifies Internet Explorer settings 1 TTPs 9 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\monthly financial statement.doc"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\69577.exe"C:\Users\Public\69577.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 69577.exe /f & erase C:\Users\Public\69577.exe & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 69577.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\69577.exeMD5
14c352be7111714a07714ab82bfd1b70
SHA13db41efadf56deafeff3ac541ea68c0046843e47
SHA2561b7bc78836c832c48b86f5c5406741018af99062461b8f4f2f9e55c8fcc076fc
SHA51245e15889a6d44891755aaa7de5abced9ea1cd5fdb91d2e284430c65647e136ca5a3b246b7a9ff14fbaf0a2d857e625fa359faeaeefed72e62b04c246214ab4ec
-
C:\Users\Public\69577.exeMD5
14c352be7111714a07714ab82bfd1b70
SHA13db41efadf56deafeff3ac541ea68c0046843e47
SHA2561b7bc78836c832c48b86f5c5406741018af99062461b8f4f2f9e55c8fcc076fc
SHA51245e15889a6d44891755aaa7de5abced9ea1cd5fdb91d2e284430c65647e136ca5a3b246b7a9ff14fbaf0a2d857e625fa359faeaeefed72e62b04c246214ab4ec
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\msvcp140.dllMD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
\ProgramData\vcruntime140.dllMD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
\Users\Public\69577.exeMD5
14c352be7111714a07714ab82bfd1b70
SHA13db41efadf56deafeff3ac541ea68c0046843e47
SHA2561b7bc78836c832c48b86f5c5406741018af99062461b8f4f2f9e55c8fcc076fc
SHA51245e15889a6d44891755aaa7de5abced9ea1cd5fdb91d2e284430c65647e136ca5a3b246b7a9ff14fbaf0a2d857e625fa359faeaeefed72e62b04c246214ab4ec
-
\Users\Public\69577.exeMD5
14c352be7111714a07714ab82bfd1b70
SHA13db41efadf56deafeff3ac541ea68c0046843e47
SHA2561b7bc78836c832c48b86f5c5406741018af99062461b8f4f2f9e55c8fcc076fc
SHA51245e15889a6d44891755aaa7de5abced9ea1cd5fdb91d2e284430c65647e136ca5a3b246b7a9ff14fbaf0a2d857e625fa359faeaeefed72e62b04c246214ab4ec
-
memory/560-6-0x0000000000000000-mapping.dmp
-
memory/560-9-0x00000000049D0000-0x00000000049E1000-memory.dmpFilesize
68KB
-
memory/560-8-0x00000000046F9000-0x00000000046FA000-memory.dmpFilesize
4KB
-
memory/1008-15-0x0000000000000000-mapping.dmp
-
memory/1168-2-0x0000000000000000-mapping.dmp
-
memory/1772-3-0x000007FEF68D0000-0x000007FEF6B4A000-memory.dmpFilesize
2.5MB
-
memory/1812-14-0x0000000000000000-mapping.dmp