Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
11-10-2021 13:58
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe
Resource
win7-en-20210920
General
-
Target
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe
-
Size
1.7MB
-
MD5
2a600aaf4954388f5ad11abba8f8c351
-
SHA1
e5bbca4b4cb21862576dc1e214f82bc73804d9ce
-
SHA256
d6e566d286fae051384f3789f262e4ba76b8e92a4937285bd94f9d031cf323b9
-
SHA512
828b869d71fb4979d60122d0bae72db787ece2ebab66e5c99d26bc3c263ef378b37b562d72a6d50f74e749def1c61fa6813618734ac56100728b13d46e2aa693
Malware Config
Extracted
vidar
41.2
921
https://mas.to/@serg4325
-
profile_id
921
Signatures
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/632-116-0x00000000035A0000-0x0000000003678000-memory.dmp family_vidar C:\ProgramData\build.exe family_vidar C:\ProgramData\build.exe family_vidar -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 3284 build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2072 3284 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
WerFault.exepid process 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe 2072 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 2072 WerFault.exe Token: SeBackupPrivilege 2072 WerFault.exe Token: SeDebugPrivilege 2072 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exedescription pid process target process PID 632 wrote to memory of 3284 632 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 632 wrote to memory of 3284 632 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe PID 632 wrote to memory of 3284 632 SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.47151563.16203.24655.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3284 -s 21443⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
C:\ProgramData\build.exeMD5
4c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
memory/632-114-0x0000000000920000-0x0000000000921000-memory.dmpFilesize
4KB
-
memory/632-116-0x00000000035A0000-0x0000000003678000-memory.dmpFilesize
864KB
-
memory/3284-117-0x0000000000000000-mapping.dmp