Analysis
-
max time kernel
120s -
max time network
133s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
13-10-2021 17:08
Static task
static1
Behavioral task
behavioral1
Sample
9ce7a85ba3d9b83cfe600c41859b1bd1.exe
Resource
win7-en-20210920
windows7_x64
0 signatures
0 seconds
General
-
Target
9ce7a85ba3d9b83cfe600c41859b1bd1.exe
-
Size
744KB
-
MD5
9ce7a85ba3d9b83cfe600c41859b1bd1
-
SHA1
bd1be91996a50af60298dbdb424f608e4f80a8d7
-
SHA256
d9b6823ca8e13b78c269c5d21e948dbab625ea87d3370d163eeabeb3822aef56
-
SHA512
7aad0065d6f748fe63777dcc1fa541d049aa55434eef5b67f0ec1110b63960bb3ee43ea16d6d03aecda4ac3ae794d623a7ac22802edfe61765695fd0e268816a
Malware Config
Extracted
Family
vidar
Version
41.3
Botnet
1008
C2
https://mas.to/@oleg98
Attributes
-
profile_id
1008
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1544-56-0x0000000000400000-0x000000000172D000-memory.dmp family_vidar behavioral1/memory/1544-55-0x0000000002F90000-0x0000000003066000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1692 1544 WerFault.exe 9ce7a85ba3d9b83cfe600c41859b1bd1.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe 1692 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1692 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1692 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9ce7a85ba3d9b83cfe600c41859b1bd1.exedescription pid process target process PID 1544 wrote to memory of 1692 1544 9ce7a85ba3d9b83cfe600c41859b1bd1.exe WerFault.exe PID 1544 wrote to memory of 1692 1544 9ce7a85ba3d9b83cfe600c41859b1bd1.exe WerFault.exe PID 1544 wrote to memory of 1692 1544 9ce7a85ba3d9b83cfe600c41859b1bd1.exe WerFault.exe PID 1544 wrote to memory of 1692 1544 9ce7a85ba3d9b83cfe600c41859b1bd1.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ce7a85ba3d9b83cfe600c41859b1bd1.exe"C:\Users\Admin\AppData\Local\Temp\9ce7a85ba3d9b83cfe600c41859b1bd1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 8602⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1544-53-0x000000000030B000-0x0000000000388000-memory.dmpFilesize
500KB
-
memory/1544-54-0x0000000074B91000-0x0000000074B93000-memory.dmpFilesize
8KB
-
memory/1544-56-0x0000000000400000-0x000000000172D000-memory.dmpFilesize
19.2MB
-
memory/1544-55-0x0000000002F90000-0x0000000003066000-memory.dmpFilesize
856KB
-
memory/1692-57-0x0000000000000000-mapping.dmp
-
memory/1692-58-0x00000000003C0000-0x00000000003C1000-memory.dmpFilesize
4KB