332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15

General
Target

332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

Filesize

1MB

Completed

26-09-2021 12:59

Score
10 /10
MD5

584f45058842b22805828df76bd94956

SHA1

a343399d9313bf47be11cbd6fc063637bf8ef5fb

SHA256

332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 700 created 1108700WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1108-115-0x00000000028C0000-0x00000000029DB000-memory.dmpfamily_vidar
    behavioral1/memory/1108-116-0x0000000000400000-0x000000000057E000-memory.dmpfamily_vidar
  • Downloads MZ/PE file
  • Loads dropped DLL
    332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe

    Reported IOCs

    pidprocess
    1108332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    1108332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Program crash
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    13441108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    14881108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    16721108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    20441108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    21921108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    24921108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    26161108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    28161108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    38721108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    40321108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    40601108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    40521108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    7001108WerFault.exe332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidprocess
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1344WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1488WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    1672WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2044WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
    2192WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege1344WerFault.exe
    Token: SeBackupPrivilege1344WerFault.exe
    Token: SeDebugPrivilege1344WerFault.exe
    Token: SeDebugPrivilege1488WerFault.exe
    Token: SeDebugPrivilege1672WerFault.exe
    Token: SeDebugPrivilege2044WerFault.exe
    Token: SeDebugPrivilege2192WerFault.exe
    Token: SeDebugPrivilege2492WerFault.exe
    Token: SeDebugPrivilege2616WerFault.exe
    Token: SeDebugPrivilege2816WerFault.exe
    Token: SeDebugPrivilege3872WerFault.exe
    Token: SeDebugPrivilege4032WerFault.exe
    Token: SeDebugPrivilege4060WerFault.exe
    Token: SeDebugPrivilege4052WerFault.exe
    Token: SeDebugPrivilege700WerFault.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe
    "C:\Users\Admin\AppData\Local\Temp\332aad15049a1f46eee199236e7a46c53ea04b6fe63079ad2db70839a41b3c15.exe"
    Loads dropped DLL
    PID:1108
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 916
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1012
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1488
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1212
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1480
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2044
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1708
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2192
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1712
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1624
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1744
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:2816
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1664
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:3872
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1744
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4032
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1720
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1700
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1624
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:700
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • \ProgramData\mozglue.dll

                        MD5

                        8f73c08a9660691143661bf7332c3c27

                        SHA1

                        37fa65dd737c50fda710fdbde89e51374d0c204a

                        SHA256

                        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                        SHA512

                        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                      • \ProgramData\nss3.dll

                        MD5

                        bfac4e3c5908856ba17d41edcd455a51

                        SHA1

                        8eec7e888767aa9e4cca8ff246eb2aacb9170428

                        SHA256

                        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                        SHA512

                        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                      • memory/1108-114-0x0000000002350000-0x0000000002351000-memory.dmp

                      • memory/1108-115-0x00000000028C0000-0x00000000029DB000-memory.dmp

                      • memory/1108-116-0x0000000000400000-0x000000000057E000-memory.dmp