edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9

General
Target

edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe

Filesize

1MB

Completed

26-09-2021 12:50

Score
10 /10
MD5

4fed0d390427e53295cf532514492cb1

SHA1

b67f762ffd055ca63d43771f9c1c26529457dd75

SHA256

edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3888 created 23523888WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/2352-116-0x0000000002990000-0x0000000002AAB000-memory.dmpfamily_vidar
    behavioral1/memory/2352-117-0x0000000000400000-0x000000000057E000-memory.dmpfamily_vidar
  • Downloads MZ/PE file
  • Loads dropped DLL
    edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe

    Reported IOCs

    pidprocess
    2352edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    2352edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Program crash
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    26882352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    37002352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    30922352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    3522352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    22202352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    37082352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    13562352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    40082352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    10402352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    11042352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    28442352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    9002352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    38882352WerFault.exeedf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidprocess
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    2688WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3700WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    3092WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    352WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
    2220WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege2688WerFault.exe
    Token: SeBackupPrivilege2688WerFault.exe
    Token: SeDebugPrivilege2688WerFault.exe
    Token: SeDebugPrivilege3700WerFault.exe
    Token: SeDebugPrivilege3092WerFault.exe
    Token: SeDebugPrivilege352WerFault.exe
    Token: SeDebugPrivilege2220WerFault.exe
    Token: SeDebugPrivilege3708WerFault.exe
    Token: SeDebugPrivilege1356WerFault.exe
    Token: SeDebugPrivilege4008WerFault.exe
    Token: SeDebugPrivilege1040WerFault.exe
    Token: SeDebugPrivilege1104WerFault.exe
    Token: SeDebugPrivilege2844WerFault.exe
    Token: SeDebugPrivilege900WerFault.exe
    Token: SeDebugPrivilege3888WerFault.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe
    "C:\Users\Admin\AppData\Local\Temp\edf92788696e59151889169f242d7fd98248395e6ccac73dd81ae48386696bc9.exe"
    Loads dropped DLL
    PID:2352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 956
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1056
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3700
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1076
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3092
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1492
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:352
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1712
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1672
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:3708
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1484
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1356
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1800
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4008
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1840
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1712
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:1104
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1820
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1732
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:900
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 1876
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:3888
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • \ProgramData\mozglue.dll

                        MD5

                        8f73c08a9660691143661bf7332c3c27

                        SHA1

                        37fa65dd737c50fda710fdbde89e51374d0c204a

                        SHA256

                        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                        SHA512

                        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                      • \ProgramData\nss3.dll

                        MD5

                        bfac4e3c5908856ba17d41edcd455a51

                        SHA1

                        8eec7e888767aa9e4cca8ff246eb2aacb9170428

                        SHA256

                        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                        SHA512

                        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                      • memory/2352-115-0x00000000008D0000-0x00000000008D1000-memory.dmp

                      • memory/2352-116-0x0000000002990000-0x0000000002AAB000-memory.dmp

                      • memory/2352-117-0x0000000000400000-0x000000000057E000-memory.dmp