Analysis
-
max time kernel
124s -
max time network
159s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
15-10-2021 22:31
General
-
Target
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5.exe
-
Size
727KB
-
MD5
687ce85a38cc8ca331e63a87a3c5cb9e
-
SHA1
70da69b8fe9adbafbbccd38da2e71dd7121e9108
-
SHA256
92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5
-
SHA512
92808823a009e5599d742d0fb522c3db732e35d05fb3a287871a43bbebed8284aa2a60ef574c46a65b0af67a662dea2d7c772a5d0890876336b773b95dbd9cdc
Malware Config
Extracted
vidar
41.4
1008
https://mas.to/@sslam
-
profile_id
1008
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5.exe"C:\Users\Admin\AppData\Local\Temp\92b1cc02d037151eecedb276cee54e94ffcb6fb748d0c8a86c8f10522fef9fb5.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UWQP7K70EYNJMAB6.exe"C:\ProgramData\UWQP7K70EYNJMAB6.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m5z3opnl\m5z3opnl.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB571.tmp" "c:\Users\Admin\AppData\Local\Temp\m5z3opnl\CSCF5AFECB2F38B4FD8807DE6863923A1DA.TMP"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 22322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UWQP7K70EYNJMAB6.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\ProgramData\UWQP7K70EYNJMAB6.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\RESB571.tmpMD5
2fcdae35e790275a7f0407c897bf7917
SHA1868523b5b5ae93ca1fc8548cdc8f8b9a0d42e81e
SHA2562a07fcd1767546d27bcb3b35430a8db080c659fc8d07f3867d6ab73da6bdd42c
SHA5125c07c396b31ee0b8fbd7dbac0e77022d84b9da8f3e18d527e0ad16aa6e3fd4fbfe728f565fd50a48c93304ab8a690171765253092c0d94580a1a3d9ac29fcce5
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
841cc93778b4ec353d0075d717b90df4
SHA1287f652b7be199d127aab4655055654a6ea2bed6
SHA25677f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541
-
C:\Users\Admin\AppData\Local\Temp\m5z3opnl\m5z3opnl.dllMD5
fbe24e7913366ccfde8227ff3215144b
SHA131d87d9f1876f7e92bceaba54b4c9acbd8fb90aa
SHA256a95cde384aff5e637bd1e80c6c79971ebe16a3306e16bcf7ffb1328ee06a3970
SHA512ddfc261d4764110cfc253d869467367728922ed99f032d3c5ea58c606fd81e2c0a6952bee2260774b8c34c6e2e9264ee60f65389738ff20cc5fe2a889aa29745
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\m5z3opnl\CSCF5AFECB2F38B4FD8807DE6863923A1DA.TMPMD5
1ee924958f8a9f6af6376f67706e0ebe
SHA116ee47dbb4cf1d783e33888b99b66369a3b5aeb1
SHA25627001d75a62fc63a6f71bfec826c775f42a477b8a337c7d22304e165cf39a9a9
SHA512a6bb69956047b82ca6812ac5e7dbbedc840eeb01cdd64cfda09b1dd184e76242456bd0fa6d926a1a266e7cd947391825e072eaceb6fed3db956e5f7142546dd1
-
\??\c:\Users\Admin\AppData\Local\Temp\m5z3opnl\m5z3opnl.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\m5z3opnl\m5z3opnl.cmdlineMD5
011c6073dfe755292aee29639348c352
SHA1a8b5b9d3e4d63bcdc5c350af46fe1f048d823e18
SHA256a300ae4aad416ddee675a2b3005b5d35078bbae4162cfc07c3b20a2727ca0221
SHA5125650f97c91d9464698e991598ad631292d299262a548134ac7b9069ad3e5f022f76dd83520dccde21adeb32617248b1e69e6b00082f9684cafb16ff705d9bd72
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/688-1035-0x0000000000000000-mapping.dmp
-
memory/700-1039-0x0000000000000000-mapping.dmp
-
memory/824-1056-0x0000000000000000-mapping.dmp
-
memory/1188-145-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/1188-140-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/1188-150-0x0000000005E30000-0x0000000005E31000-memory.dmpFilesize
4KB
-
memory/1188-136-0x0000000000400000-0x000000000080B000-memory.dmpFilesize
4.0MB
-
memory/1188-137-0x000000000040330C-mapping.dmp
-
memory/1188-149-0x0000000005483000-0x0000000005484000-memory.dmpFilesize
4KB
-
memory/1188-142-0x00000000058A0000-0x0000000005C9F000-memory.dmpFilesize
4.0MB
-
memory/1188-148-0x0000000005482000-0x0000000005483000-memory.dmpFilesize
4KB
-
memory/1188-146-0x0000000005484000-0x0000000005485000-memory.dmpFilesize
4KB
-
memory/1188-147-0x0000000005480000-0x0000000005481000-memory.dmpFilesize
4KB
-
memory/1300-724-0x0000000004F22000-0x0000000004F23000-memory.dmpFilesize
4KB
-
memory/1300-723-0x0000000004F20000-0x0000000004F21000-memory.dmpFilesize
4KB
-
memory/1300-819-0x000000007EAE0000-0x000000007EAE1000-memory.dmpFilesize
4KB
-
memory/1300-710-0x0000000000000000-mapping.dmp
-
memory/1720-116-0x0000000003480000-0x0000000003556000-memory.dmpFilesize
856KB
-
memory/1720-117-0x0000000000400000-0x0000000001729000-memory.dmpFilesize
19.2MB
-
memory/1720-115-0x0000000001769000-0x00000000017E5000-memory.dmpFilesize
496KB
-
memory/1772-991-0x0000000000000000-mapping.dmp
-
memory/1796-1057-0x0000000000000000-mapping.dmp
-
memory/2004-1036-0x0000000000000000-mapping.dmp
-
memory/2120-164-0x0000000008770000-0x0000000008771000-memory.dmpFilesize
4KB
-
memory/2120-172-0x00000000093D0000-0x00000000093D1000-memory.dmpFilesize
4KB
-
memory/2120-159-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/2120-160-0x0000000007630000-0x0000000007631000-memory.dmpFilesize
4KB
-
memory/2120-162-0x0000000007F90000-0x0000000007F91000-memory.dmpFilesize
4KB
-
memory/2120-163-0x00000000083C0000-0x00000000083C1000-memory.dmpFilesize
4KB
-
memory/2120-158-0x0000000005072000-0x0000000005073000-memory.dmpFilesize
4KB
-
memory/2120-165-0x00000000086B0000-0x00000000086B1000-memory.dmpFilesize
4KB
-
memory/2120-156-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/2120-167-0x0000000003180000-0x0000000003181000-memory.dmpFilesize
4KB
-
memory/2120-171-0x0000000009D60000-0x0000000009D61000-memory.dmpFilesize
4KB
-
memory/2120-182-0x0000000005073000-0x0000000005074000-memory.dmpFilesize
4KB
-
memory/2120-1157-0x000000007F100000-0x000000007F101000-memory.dmpFilesize
4KB
-
memory/2120-155-0x0000000004F00000-0x0000000004F01000-memory.dmpFilesize
4KB
-
memory/2120-153-0x0000000003180000-0x0000000003181000-memory.dmpFilesize
4KB
-
memory/2120-203-0x00000000097C0000-0x00000000097C1000-memory.dmpFilesize
4KB
-
memory/2120-154-0x0000000003180000-0x0000000003181000-memory.dmpFilesize
4KB
-
memory/2120-152-0x0000000000000000-mapping.dmp
-
memory/2120-157-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/2120-180-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/2152-1032-0x0000000000000000-mapping.dmp
-
memory/2208-213-0x0000000004832000-0x0000000004833000-memory.dmpFilesize
4KB
-
memory/2208-204-0x0000000000000000-mapping.dmp
-
memory/2208-206-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/2208-205-0x0000000002C80000-0x0000000002C81000-memory.dmpFilesize
4KB
-
memory/2208-211-0x0000000004830000-0x0000000004831000-memory.dmpFilesize
4KB
-
memory/2208-276-0x000000007EAC0000-0x000000007EAC1000-memory.dmpFilesize
4KB
-
memory/2212-1038-0x0000000000000000-mapping.dmp
-
memory/2584-1037-0x0000000000000000-mapping.dmp
-
memory/2644-176-0x0000000000000000-mapping.dmp
-
memory/3152-989-0x0000000000000000-mapping.dmp
-
memory/3168-990-0x0000000000000000-mapping.dmp
-
memory/3372-468-0x00000000071C0000-0x00000000071C1000-memory.dmpFilesize
4KB
-
memory/3372-459-0x0000000000000000-mapping.dmp
-
memory/3372-469-0x00000000071C2000-0x00000000071C3000-memory.dmpFilesize
4KB
-
memory/3372-495-0x000000007F9F0000-0x000000007F9F1000-memory.dmpFilesize
4KB
-
memory/3392-1033-0x0000000000000000-mapping.dmp
-
memory/3536-128-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/3536-126-0x0000000004FB0000-0x0000000004FB1000-memory.dmpFilesize
4KB
-
memory/3536-125-0x0000000005410000-0x0000000005411000-memory.dmpFilesize
4KB
-
memory/3536-130-0x0000000006470000-0x0000000006491000-memory.dmpFilesize
132KB
-
memory/3536-127-0x0000000005050000-0x0000000005051000-memory.dmpFilesize
4KB
-
memory/3536-120-0x0000000000000000-mapping.dmp
-
memory/3536-134-0x0000000008CC0000-0x0000000008CCB000-memory.dmpFilesize
44KB
-
memory/3536-123-0x0000000000010000-0x0000000000011000-memory.dmpFilesize
4KB
-
memory/3536-132-0x00000000064E0000-0x00000000064E1000-memory.dmpFilesize
4KB
-
memory/3536-131-0x0000000006520000-0x0000000006521000-memory.dmpFilesize
4KB
-
memory/3536-129-0x0000000004F10000-0x000000000540E000-memory.dmpFilesize
5.0MB
-
memory/3536-133-0x0000000004F10000-0x000000000540E000-memory.dmpFilesize
5.0MB
-
memory/3536-135-0x0000000008CE0000-0x0000000008CE1000-memory.dmpFilesize
4KB
-
memory/3552-1034-0x0000000000000000-mapping.dmp
-
memory/3560-1028-0x0000000000000000-mapping.dmp
-
memory/3764-173-0x0000000000000000-mapping.dmp
-
memory/3968-1029-0x0000000000000000-mapping.dmp