Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
13-10-2021 10:01
Static task
static1
Behavioral task
behavioral1
Sample
09ab0907323d5de77ebe2891813dc5d0.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
09ab0907323d5de77ebe2891813dc5d0.exe
-
Size
635KB
-
MD5
09ab0907323d5de77ebe2891813dc5d0
-
SHA1
edbee14a3f89d075e152013d48d8dd794d08c254
-
SHA256
152c854e0e028eaa43bef46d7375d5704cf43f2c22a0354d7757e7cf5cdc3a89
-
SHA512
1ab37e6af947694a2140c67d23b80121a23f742374c794bb47e5bae20ed46bbefb1ecf24a90d28f058140f1ccda693fdf90690c7090250c0dfa7c5bfc90269c9
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
1008
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1120-62-0x00000000002A0000-0x0000000000376000-memory.dmp family_vidar behavioral1/memory/1120-63-0x0000000000400000-0x00000000004D9000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 992 1120 WerFault.exe 09ab0907323d5de77ebe2891813dc5d0.exe -
Processes:
09ab0907323d5de77ebe2891813dc5d0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 09ab0907323d5de77ebe2891813dc5d0.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 09ab0907323d5de77ebe2891813dc5d0.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe 992 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 992 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 992 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
09ab0907323d5de77ebe2891813dc5d0.exedescription pid process target process PID 1120 wrote to memory of 992 1120 09ab0907323d5de77ebe2891813dc5d0.exe WerFault.exe PID 1120 wrote to memory of 992 1120 09ab0907323d5de77ebe2891813dc5d0.exe WerFault.exe PID 1120 wrote to memory of 992 1120 09ab0907323d5de77ebe2891813dc5d0.exe WerFault.exe PID 1120 wrote to memory of 992 1120 09ab0907323d5de77ebe2891813dc5d0.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\09ab0907323d5de77ebe2891813dc5d0.exe"C:\Users\Admin\AppData\Local\Temp\09ab0907323d5de77ebe2891813dc5d0.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1120 -s 8682⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/992-64-0x0000000000000000-mapping.dmp
-
memory/992-65-0x0000000000290000-0x0000000000291000-memory.dmpFilesize
4KB
-
memory/1120-60-0x0000000000958000-0x00000000009D5000-memory.dmpFilesize
500KB
-
memory/1120-61-0x0000000074D91000-0x0000000074D93000-memory.dmpFilesize
8KB
-
memory/1120-62-0x00000000002A0000-0x0000000000376000-memory.dmpFilesize
856KB
-
memory/1120-63-0x0000000000400000-0x00000000004D9000-memory.dmpFilesize
868KB