Analysis
-
max time kernel
87s -
max time network
148s -
platform
windows10_x64 -
resource
win10-en -
submitted
08-09-2021 07:58
Static task
static1
Behavioral task
behavioral1
Sample
file5.exe
Resource
win7-en
Behavioral task
behavioral2
Sample
file5.exe
Resource
win10-en
General
-
Target
file5.exe
-
Size
1.7MB
-
MD5
a70b82151e35e0ff675745edeba1143f
-
SHA1
5e7e466b04782a33ade1c85bd5d18f2c181e2e28
-
SHA256
ff4304e357cb5bfd79bb6f3b573298bdc348a19ba5fbb5250e54218e33a36593
-
SHA512
f08038d4d1361acd3cfc983f12fab55390fc85970fda13709915a4d277a20d24dee14782ed571dbaf6bd9440500428167c607d9852d7071788edca593e741cf0
Malware Config
Extracted
vidar
40.5
921
https://gheorghip.tumblr.com/
-
profile_id
921
Signatures
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1004-136-0x0000000000400000-0x00000000004D5000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
Mie.exe.comMie.exe.comipconfig.exepid process 4044 Mie.exe.com 4284 Mie.exe.com 1004 ipconfig.exe -
Drops startup file 1 IoCs
Processes:
Mie.exe.comdescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SFlSzEoGMT.url Mie.exe.com -
Loads dropped DLL 2 IoCs
Processes:
ipconfig.exepid process 1004 ipconfig.exe 1004 ipconfig.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
file5.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce file5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" file5.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Mie.exe.comdescription pid process target process PID 4284 set thread context of 1004 4284 Mie.exe.com ipconfig.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1040 1004 WerFault.exe ipconfig.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 1004 ipconfig.exe -
Processes:
ipconfig.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 ipconfig.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e ipconfig.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
ipconfig.exeWerFault.exepid process 1004 ipconfig.exe 1004 ipconfig.exe 1004 ipconfig.exe 1004 ipconfig.exe 1004 ipconfig.exe 1004 ipconfig.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe 1040 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Mie.exe.compid process 4284 Mie.exe.com -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1040 WerFault.exe Token: SeBackupPrivilege 1040 WerFault.exe Token: SeDebugPrivilege 1040 WerFault.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
Mie.exe.comMie.exe.compid process 4044 Mie.exe.com 4044 Mie.exe.com 4044 Mie.exe.com 4284 Mie.exe.com 4284 Mie.exe.com 4284 Mie.exe.com -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
Mie.exe.comMie.exe.compid process 4044 Mie.exe.com 4044 Mie.exe.com 4044 Mie.exe.com 4284 Mie.exe.com 4284 Mie.exe.com 4284 Mie.exe.com -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
file5.execmd.execmd.exeMie.exe.comMie.exe.comdescription pid process target process PID 4720 wrote to memory of 3004 4720 file5.exe dllhost.exe PID 4720 wrote to memory of 3004 4720 file5.exe dllhost.exe PID 4720 wrote to memory of 3004 4720 file5.exe dllhost.exe PID 4720 wrote to memory of 744 4720 file5.exe cmd.exe PID 4720 wrote to memory of 744 4720 file5.exe cmd.exe PID 4720 wrote to memory of 744 4720 file5.exe cmd.exe PID 744 wrote to memory of 3240 744 cmd.exe cmd.exe PID 744 wrote to memory of 3240 744 cmd.exe cmd.exe PID 744 wrote to memory of 3240 744 cmd.exe cmd.exe PID 3240 wrote to memory of 4052 3240 cmd.exe findstr.exe PID 3240 wrote to memory of 4052 3240 cmd.exe findstr.exe PID 3240 wrote to memory of 4052 3240 cmd.exe findstr.exe PID 3240 wrote to memory of 4044 3240 cmd.exe Mie.exe.com PID 3240 wrote to memory of 4044 3240 cmd.exe Mie.exe.com PID 3240 wrote to memory of 4044 3240 cmd.exe Mie.exe.com PID 3240 wrote to memory of 4352 3240 cmd.exe PING.EXE PID 3240 wrote to memory of 4352 3240 cmd.exe PING.EXE PID 3240 wrote to memory of 4352 3240 cmd.exe PING.EXE PID 4044 wrote to memory of 4284 4044 Mie.exe.com Mie.exe.com PID 4044 wrote to memory of 4284 4044 Mie.exe.com Mie.exe.com PID 4044 wrote to memory of 4284 4044 Mie.exe.com Mie.exe.com PID 4284 wrote to memory of 1004 4284 Mie.exe.com ipconfig.exe PID 4284 wrote to memory of 1004 4284 Mie.exe.com ipconfig.exe PID 4284 wrote to memory of 1004 4284 Mie.exe.com ipconfig.exe PID 4284 wrote to memory of 1004 4284 Mie.exe.com ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file5.exe"C:\Users\Admin\AppData\Local\Temp\file5.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Col.aif2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^UhYfGpTuZrzSdFeMeNaCLTnviEufMXMBGeXCcrpOPaOzqZuKoyxOwRoqPBiweDxedSkhHmsZEDNattvoncuHDYmPUWNUViMkYMeiOSrJOcpnrPVKtZDGvNnaaczLMvrvRBxaegxFabToO$" Conquista.aif4⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.comMie.exe.com E4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.com E5⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Gathers network information
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1004 -s 16247⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\PING.EXEping localhost4⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Col.aifMD5
ba51b37953a5242fa78532267b987110
SHA1c84898d36e8386a5ab974e49b9807aa278177475
SHA256628ea32917a7f65391979714b29be37d68e6acacebb987739964a8363b308b3c
SHA512ce5a1a4cecd50de2e882564386a8b80f6cb1004e9e1aaf76c6ea83a336ed5ff1cfbc564943377f9af46ca168b1ee0d2779d3bfbc3cc136ec5a2939ba969f2e6a
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Conquista.aifMD5
87f40306af562347d1b9b35f5d043d70
SHA1012f318a2a3f95f624354bbca83b71e308d30896
SHA256f89df2759f447f8d5513e5f6fd658cf0a9c56031058ae8c2099edad0f0a7140a
SHA512ea5bf807cdc0f939a5977435d2e50e6a664756e06b1d1a3021d1744e9f1293b4918648ea12e7b9eb4eb8151197dc4d332c87b2e429e8ae168cd0e610bd4cb457
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\EMD5
48cea2c9ef2802c9e2b43a7cecb69757
SHA1e4c3f134e39172e5f8d1dde6a79c475343909cf6
SHA256d5c1de681001952aba7e6fe2bc9cf626bfd45292c326ab58e59645a46d62c0f8
SHA512f91257ddab48b6c15e065cebfabfd3738758a8d1a6a2d8fe8c31b1d6639a9ac370ed0ce63523e626979d4e91e5270dbac7c549a493e19906d5c40615a1368ef4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Mie.exe.comMD5
c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Pel.aifMD5
48cea2c9ef2802c9e2b43a7cecb69757
SHA1e4c3f134e39172e5f8d1dde6a79c475343909cf6
SHA256d5c1de681001952aba7e6fe2bc9cf626bfd45292c326ab58e59645a46d62c0f8
SHA512f91257ddab48b6c15e065cebfabfd3738758a8d1a6a2d8fe8c31b1d6639a9ac370ed0ce63523e626979d4e91e5270dbac7c549a493e19906d5c40615a1368ef4
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sai.aifMD5
d185b3e6ef193d8b9ed2b77b59e9a16e
SHA174741df687b70f37f522456cee4e794477a743ac
SHA256d2e62664555bf057f4f39dc833a8f3c2693d84b2527c7c42984859d4af300df1
SHA5126521c141b285c617a8b2b97f21c25bc8af2dd534dd643712beaa045d50b76029a03538fdfcd6eb190d894a9bb0cc25802f4129066498b38939a0ffc31900bf11
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exeMD5
a69ba0e84d1a6b853acf752969d3f937
SHA1ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c
SHA25601cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469
SHA512fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ipconfig.exeMD5
a69ba0e84d1a6b853acf752969d3f937
SHA1ff1bee9468afc6c4ff82cba3f5ae13842ea07f0c
SHA25601cbe910e5d343c25e9066ccc7f8777a79b0d3e210aa2fb7e4428ab259712469
SHA512fd4fa4b978b746638bd847fce9dfa9bc9c0ab5c91fb989e9aeea147a4a35e2326586ec04d80bdab6b21d06b2f41e870e9f588aeca27fc3473e3fca0973e60eca
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/744-116-0x0000000000000000-mapping.dmp
-
memory/1004-131-0x000000000049EC7D-mapping.dmp
-
memory/1004-136-0x0000000000400000-0x00000000004D5000-memory.dmpFilesize
852KB
-
memory/3004-115-0x0000000000000000-mapping.dmp
-
memory/3240-118-0x0000000000000000-mapping.dmp
-
memory/4044-122-0x0000000000000000-mapping.dmp
-
memory/4052-119-0x0000000000000000-mapping.dmp
-
memory/4284-135-0x0000000001AD0000-0x0000000001AD2000-memory.dmpFilesize
8KB
-
memory/4284-130-0x0000000001AC0000-0x0000000001AC1000-memory.dmpFilesize
4KB
-
memory/4284-126-0x0000000000000000-mapping.dmp
-
memory/4352-124-0x0000000000000000-mapping.dmp