06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5

General
Target

06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe

Filesize

1MB

Completed

26-09-2021 13:09

Score
10 /10
MD5

36f245f113c0a267b3a2dd4793edcc96

SHA1

176bf1b48bd9d6d7ac75c4e20a87ed0d2cf69e94

SHA256

06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
  • Suspicious use of NtCreateProcessExOtherParentProcess
    WerFault.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 4460 created 40804460WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
  • Vidar

    Description

    Vidar is an infostealer based on Arkei stealer.

  • Vidar Stealer

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/4080-117-0x0000000000400000-0x000000000057E000-memory.dmpfamily_vidar
    behavioral1/memory/4080-116-0x0000000002980000-0x0000000002A9B000-memory.dmpfamily_vidar
  • Downloads MZ/PE file
  • Loads dropped DLL
    06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe

    Reported IOCs

    pidprocess
    408006c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    408006c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    TTPs

    Data from Local SystemCredentials in Files
  • Accesses 2FA software files, possible credential harvesting

    TTPs

    Data from Local SystemCredentials in Files
  • Program crash
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    35564080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    36804080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    36844080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    5084080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    39204080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    40004080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    38764080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    7644080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    43204080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    42084080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    42244080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    43924080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    44604080WerFault.exe06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
  • Suspicious behavior: EnumeratesProcesses
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    pidprocess
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3556WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3680WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    3684WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    508WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
    3920WerFault.exe
  • Suspicious use of AdjustPrivilegeToken
    WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeRestorePrivilege3556WerFault.exe
    Token: SeBackupPrivilege3556WerFault.exe
    Token: SeDebugPrivilege3556WerFault.exe
    Token: SeDebugPrivilege3680WerFault.exe
    Token: SeDebugPrivilege3684WerFault.exe
    Token: SeDebugPrivilege508WerFault.exe
    Token: SeDebugPrivilege3920WerFault.exe
    Token: SeDebugPrivilege4000WerFault.exe
    Token: SeDebugPrivilege3876WerFault.exe
    Token: SeDebugPrivilege764WerFault.exe
    Token: SeDebugPrivilege4320WerFault.exe
    Token: SeDebugPrivilege4208WerFault.exe
    Token: SeDebugPrivilege4224WerFault.exe
    Token: SeDebugPrivilege4392WerFault.exe
    Token: SeDebugPrivilege4460WerFault.exe
Processes 14
  • C:\Users\Admin\AppData\Local\Temp\06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe
    "C:\Users\Admin\AppData\Local\Temp\06c4fbf231c116c64836cce06ae10e62a6af7ea566b1cf789165aaca366d03e5.exe"
    Loads dropped DLL
    PID:4080
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 920
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3556
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1056
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1092
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1496
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:508
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1712
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1440
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4000
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1708
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1712
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:764
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1832
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1720
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4208
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1468
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4224
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1752
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4392
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 1448
      Suspicious use of NtCreateProcessExOtherParentProcess
      Program crash
      Suspicious use of AdjustPrivilegeToken
      PID:4460
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • \ProgramData\mozglue.dll

                        MD5

                        8f73c08a9660691143661bf7332c3c27

                        SHA1

                        37fa65dd737c50fda710fdbde89e51374d0c204a

                        SHA256

                        3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

                        SHA512

                        0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

                      • \ProgramData\nss3.dll

                        MD5

                        bfac4e3c5908856ba17d41edcd455a51

                        SHA1

                        8eec7e888767aa9e4cca8ff246eb2aacb9170428

                        SHA256

                        e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

                        SHA512

                        2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

                      • memory/4080-115-0x0000000000810000-0x0000000000811000-memory.dmp

                      • memory/4080-117-0x0000000000400000-0x000000000057E000-memory.dmp

                      • memory/4080-116-0x0000000002980000-0x0000000002A9B000-memory.dmp