Analysis
-
max time kernel
121s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
12-10-2021 00:13
Static task
static1
Behavioral task
behavioral1
Sample
5e968b323d6dc7777a4eb797c8b99ac1.exe
Resource
win7-en-20210920
General
-
Target
5e968b323d6dc7777a4eb797c8b99ac1.exe
-
Size
1.1MB
-
MD5
5e968b323d6dc7777a4eb797c8b99ac1
-
SHA1
c427a514f70410dba47e5799f23bd511ce39ec14
-
SHA256
cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
-
SHA512
fb17586b212cfc95f0ddddda81530e3ca79c47ff5545889b77ffa8b1a555319958bf5f310a9fd8efaa23cae29cc6caaf6b1a3dc5fac8bf87249b2b2be4b74616
Malware Config
Extracted
vidar
41.3
921
https://mas.to/@oleg98
-
profile_id
921
Signatures
-
Vidar Stealer 7 IoCs
Processes:
resource yara_rule behavioral1/memory/1324-56-0x000000001A880000-0x000000001A958000-memory.dmp family_vidar C:\ProgramData\build.exe family_vidar C:\ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar \ProgramData\build.exe family_vidar -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 268 build.exe -
Loads dropped DLL 4 IoCs
Processes:
WerFault.exepid process 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1396 268 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe 1396 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1396 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1396 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5e968b323d6dc7777a4eb797c8b99ac1.exebuild.exedescription pid process target process PID 1324 wrote to memory of 268 1324 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 1324 wrote to memory of 268 1324 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 1324 wrote to memory of 268 1324 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 1324 wrote to memory of 268 1324 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 268 wrote to memory of 1396 268 build.exe WerFault.exe PID 268 wrote to memory of 1396 268 build.exe WerFault.exe PID 268 wrote to memory of 1396 268 build.exe WerFault.exe PID 268 wrote to memory of 1396 268 build.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe"C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 8603⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
C:\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
memory/268-57-0x0000000000000000-mapping.dmp
-
memory/268-59-0x0000000075661000-0x0000000075663000-memory.dmpFilesize
8KB
-
memory/1324-56-0x000000001A880000-0x000000001A958000-memory.dmpFilesize
864KB
-
memory/1324-60-0x000000001B9A0000-0x000000001B9A2000-memory.dmpFilesize
8KB
-
memory/1324-55-0x000000001C030000-0x000000001C1AA000-memory.dmpFilesize
1.5MB
-
memory/1324-53-0x000000013F0F0000-0x000000013F0F1000-memory.dmpFilesize
4KB
-
memory/1396-61-0x0000000000000000-mapping.dmp
-
memory/1396-67-0x0000000000380000-0x0000000000381000-memory.dmpFilesize
4KB