Overview

overview

10

Static

static

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

setup_x86_...4).exe

windows7_x64

setup_x86_...4).exe

windows10_x64

10

setup_x86_...5).exe

windows7_x64

setup_x86_...5).exe

windows10_x64

10

setup_x86_...6).exe

windows7_x64

10

setup_x86_...6).exe

windows10_x64

10

setup_x86_...7).exe

windows7_x64

setup_x86_...7).exe

windows10_x64

10

setup_x86_...8).exe

windows7_x64

setup_x86_...8).exe

windows10_x64

10

setup_x86_...9).exe

windows7_x64

10

setup_x86_...9).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

10

setup_x86_...2).exe

windows10_x64

10

setup_x86_...0).exe

windows7_x64

10

setup_x86_...0).exe

windows10_x64

10

setup_x86_...1).exe

windows7_x64

setup_x86_...1).exe

windows10_x64

10

setup_x86_...2).exe

windows7_x64

setup_x86_...2).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

setup_x86_...3).exe

windows10_x64

10

setup_x86_...3).exe

windows7_x64

10

setup_x86_...3).exe

windows10_x64

Resubmissions

11-07-2024 05:43

240711-gej4lstgrf 10

06-09-2021 14:13

210906-rjpvrsedbm 10

08-07-2021 11:08

210708-4gztl3mwl6 10

08-07-2021 08:02

210708-klfb4qeda6 10

07-07-2021 09:39

210707-nem57xyvf2 10

06-07-2021 17:51

210706-7pcrmjy3fa 10

06-07-2021 13:45

210706-eybelwcq86 10

Analysis

  • max time kernel
    233s
  • max time network
    1808s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    02-07-2021 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_x86_x64_install - копия (16).exe

Score
10/10
vidaraspackv2stealer

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 1 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (16).exe
    "C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (16).exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\setup_install.exe
        "C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\setup_install.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_1.exe
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1592
          • C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\arnatic_1.exe
            arnatic_1.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Modifies system certificate store
            PID:1520
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 984
              6⤵
              • Loads dropped DLL
              • Program crash
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:608
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c arnatic_5.exe
          4⤵
            PID:1184
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_7.exe
            4⤵
            • Loads dropped DLL
            PID:744
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c arnatic_6.exe
            4⤵
              PID:1012
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_4.exe
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:436
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c arnatic_3.exe
              4⤵
                PID:1244
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c arnatic_2.exe
                4⤵
                • Loads dropped DLL
                PID:1548
        • C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\arnatic_2.exe
          arnatic_2.exe
          1⤵
          • Executes dropped EXE
          PID:1840
        • C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\arnatic_7.exe
          arnatic_7.exe
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:956
        • C:\Users\Admin\AppData\Local\Temp\7zS84416AB4\arnatic_4.exe
          arnatic_4.exe
          1⤵
          • Executes dropped EXE
          PID:1660

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/268-103-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/268-108-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/268-139-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/268-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/268-135-0x000000006FE40000-0x000000006FFC6000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/268-126-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/268-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

          Filesize

          152KB

          Download

        • memory/268-123-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/268-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

          Filesize

          572KB

          Download

        • memory/268-115-0x0000000064940000-0x0000000064959000-memory.dmp

          Filesize

          100KB

          Download

        • memory/268-92-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/268-140-0x0000000000400000-0x000000000051E000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/956-145-0x00000000011C0000-0x00000000011C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1520-147-0x0000000000E80000-0x0000000000F1D000-memory.dmp

          Filesize

          628KB

          Download

        • memory/1668-60-0x0000000075B31000-0x0000000075B33000-memory.dmp

          Filesize

          8KB

          Download