Analysis
-
max time kernel
128s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 09:33
Static task
static1
Behavioral task
behavioral1
Sample
a1d952bac582c5d5f44c6f0ff09ebedd.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
a1d952bac582c5d5f44c6f0ff09ebedd.exe
-
Size
744KB
-
MD5
a1d952bac582c5d5f44c6f0ff09ebedd
-
SHA1
4dced96e35ea074c01e6bd4c5b8fc3c881c695e7
-
SHA256
2692f4594cebfa3afca882274dc1432fea1ccbc7d3f37db3e15059722db1d97b
-
SHA512
6bfc2f1ff5ded10c0dc355757fcca092b0388c9cce11e725cb5c77a0dae11ab1b004dd42b11d90d468cf09c23d1db5e70b9afc3112ebe1727b401af871516e48
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
1008
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1368-56-0x0000000002F10000-0x0000000002FE6000-memory.dmp family_vidar behavioral1/memory/1368-57-0x0000000000400000-0x000000000172D000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1812 1368 WerFault.exe a1d952bac582c5d5f44c6f0ff09ebedd.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe 1812 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1812 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1812 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a1d952bac582c5d5f44c6f0ff09ebedd.exedescription pid process target process PID 1368 wrote to memory of 1812 1368 a1d952bac582c5d5f44c6f0ff09ebedd.exe WerFault.exe PID 1368 wrote to memory of 1812 1368 a1d952bac582c5d5f44c6f0ff09ebedd.exe WerFault.exe PID 1368 wrote to memory of 1812 1368 a1d952bac582c5d5f44c6f0ff09ebedd.exe WerFault.exe PID 1368 wrote to memory of 1812 1368 a1d952bac582c5d5f44c6f0ff09ebedd.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1d952bac582c5d5f44c6f0ff09ebedd.exe"C:\Users\Admin\AppData\Local\Temp\a1d952bac582c5d5f44c6f0ff09ebedd.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 8722⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1368-54-0x000000000030B000-0x0000000000388000-memory.dmpFilesize
500KB
-
memory/1368-55-0x00000000768C1000-0x00000000768C3000-memory.dmpFilesize
8KB
-
memory/1368-56-0x0000000002F10000-0x0000000002FE6000-memory.dmpFilesize
856KB
-
memory/1368-57-0x0000000000400000-0x000000000172D000-memory.dmpFilesize
19.2MB
-
memory/1812-58-0x0000000000000000-mapping.dmp
-
memory/1812-59-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB