Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
11-10-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe
Resource
win7-en-20210920
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe
-
Size
1.7MB
-
MD5
2a600aaf4954388f5ad11abba8f8c351
-
SHA1
e5bbca4b4cb21862576dc1e214f82bc73804d9ce
-
SHA256
d6e566d286fae051384f3789f262e4ba76b8e92a4937285bd94f9d031cf323b9
-
SHA512
828b869d71fb4979d60122d0bae72db787ece2ebab66e5c99d26bc3c263ef378b37b562d72a6d50f74e749def1c61fa6813618734ac56100728b13d46e2aa693
Malware Config
Extracted
vidar
41.2
921
https://mas.to/@serg4325
-
profile_id
921
Signatures
-
Vidar Stealer 7 IoCs
Processes:
resource yara_rule behavioral1/memory/612-56-0x000000001BCE0000-0x000000001BDB8000-memory.dmp family_vidar C:\ProgramData\build.exe family_vidar C:\ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 1572 build.exe -
Loads dropped DLL 4 IoCs
Processes:
WerFault.exepid process 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1780 1572 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe 1780 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1780 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1780 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exebuild.exedescription pid process target process PID 612 wrote to memory of 1572 612 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 612 wrote to memory of 1572 612 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 612 wrote to memory of 1572 612 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 612 wrote to memory of 1572 612 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 1572 wrote to memory of 1780 1572 build.exe WerFault.exe PID 1572 wrote to memory of 1780 1572 build.exe WerFault.exe PID 1572 wrote to memory of 1780 1572 build.exe WerFault.exe PID 1572 wrote to memory of 1780 1572 build.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 8683⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
C:\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
memory/612-54-0x000000013F600000-0x000000013F601000-memory.dmpFilesize
4KB
-
memory/612-56-0x000000001BCE0000-0x000000001BDB8000-memory.dmpFilesize
864KB
-
memory/1572-57-0x0000000000000000-mapping.dmp
-
memory/1572-59-0x0000000075651000-0x0000000075653000-memory.dmpFilesize
8KB
-
memory/1780-60-0x0000000000000000-mapping.dmp
-
memory/1780-66-0x0000000000460000-0x0000000000461000-memory.dmpFilesize
4KB