Analysis
-
max time kernel
122s -
max time network
140s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
12-10-2021 00:13
Static task
static1
Behavioral task
behavioral1
Sample
5e968b323d6dc7777a4eb797c8b99ac1.exe
Resource
win7-en-20210920
General
-
Target
5e968b323d6dc7777a4eb797c8b99ac1.exe
-
Size
1.1MB
-
MD5
5e968b323d6dc7777a4eb797c8b99ac1
-
SHA1
c427a514f70410dba47e5799f23bd511ce39ec14
-
SHA256
cdd1ac2ccf205bcc0e8fecb0b117b809fcade0fcc0eba5f6b85a5dfc88443344
-
SHA512
fb17586b212cfc95f0ddddda81530e3ca79c47ff5545889b77ffa8b1a555319958bf5f310a9fd8efaa23cae29cc6caaf6b1a3dc5fac8bf87249b2b2be4b74616
Malware Config
Extracted
vidar
41.3
921
https://mas.to/@oleg98
-
profile_id
921
Signatures
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2072-118-0x00000000019B0000-0x0000000001A88000-memory.dmp family_vidar C:\ProgramData\build.exe family_vidar C:\ProgramData\build.exe family_vidar -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 2036 build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 8 2036 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe 8 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 8 WerFault.exe Token: SeBackupPrivilege 8 WerFault.exe Token: SeDebugPrivilege 8 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
5e968b323d6dc7777a4eb797c8b99ac1.exedescription pid process target process PID 2072 wrote to memory of 2036 2072 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 2072 wrote to memory of 2036 2072 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe PID 2072 wrote to memory of 2036 2072 5e968b323d6dc7777a4eb797c8b99ac1.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe"C:\Users\Admin\AppData\Local\Temp\5e968b323d6dc7777a4eb797c8b99ac1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2036 -s 11803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
C:\ProgramData\build.exeMD5
b05de2393095aedd4594b4ac3ec90f0f
SHA194e9156c52103173b51dc9227539fcb77eb3e7e8
SHA2568cb6e86b3c198de0b0f22ed8cf40897689c6b3bfa314a45f168826f5dd8ef851
SHA512b8ee3d265becf02a3beff19d469a74c3c6321efcc65a835c2daf0ae72878ca372884f3a12196e444b207fc1b99d4221e72111e9afa2ac9e704b5d13a2dbb1290
-
memory/2036-119-0x0000000000000000-mapping.dmp
-
memory/2072-115-0x00000000006D0000-0x00000000006D1000-memory.dmpFilesize
4KB
-
memory/2072-117-0x000000001C890000-0x000000001CA0A000-memory.dmpFilesize
1.5MB
-
memory/2072-118-0x00000000019B0000-0x0000000001A88000-memory.dmpFilesize
864KB
-
memory/2072-122-0x000000001C480000-0x000000001C482000-memory.dmpFilesize
8KB