Analysis
-
max time kernel
136s -
max time network
146s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
16-10-2021 00:40
General
-
Target
613df014511b022045728afac469eb460e95ee7773e1a9e6083cc6f5ca2fe6aa.exe
-
Size
727KB
-
MD5
2cbbe36a44658b6641048bfd57e1ea7f
-
SHA1
197d39e7067afe3119a15729d39e6c05df672f05
-
SHA256
613df014511b022045728afac469eb460e95ee7773e1a9e6083cc6f5ca2fe6aa
-
SHA512
d61fd507d0d77339c165df0df11365558a408c08e50c1ceac594e93100bba40b4cf672b161cd2f731931b6f8636b4afee0c598f1b8f241f5a33dc8f68ab2b7d5
Malware Config
Extracted
vidar
41.4
1008
https://mas.to/@sslam
-
profile_id
1008
Signatures
-
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Vidar Stealer 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Loads dropped DLL 2 IoCs
-
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 4 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\613df014511b022045728afac469eb460e95ee7773e1a9e6083cc6f5ca2fe6aa.exe"C:\Users\Admin\AppData\Local\Temp\613df014511b022045728afac469eb460e95ee7773e1a9e6083cc6f5ca2fe6aa.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\VUS3EJQ1FLLGUB0G.exe"C:\ProgramData\VUS3EJQ1FLLGUB0G.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'4⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4bzrxrfa\4bzrxrfa.cmdline"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDEB.tmp" "c:\Users\Admin\AppData\Local\Temp\4bzrxrfa\CSCA7D2E8B1D5149C982482F4C19A178C0.TMP"6⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f5⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f5⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f5⤵
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start rdpdr7⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet start TermService7⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService8⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 19362⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\VUS3EJQ1FLLGUB0G.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\ProgramData\VUS3EJQ1FLLGUB0G.exeMD5
2e3b62f4f1669b3615608ea31e1796dd
SHA19f9584588e480c0cfc18b770da47b00919e24219
SHA256f464dae032967264173885899186be9eac89bd2016ded5ebc38c705fa6b1b625
SHA5122879f87ce2e3c075512408fbdb17a01209663c2f635c3e07cec1d8e9b1f0490c9219eea2229dcd5863467435d35bef874e9d5fd243e46b02850d0157288b95af
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
C:\Users\Admin\AppData\Local\Temp\4bzrxrfa\4bzrxrfa.dllMD5
3820c4dd9aa1130bdb46f0246c7b165a
SHA1179237e0f531b8702e862de751aaa0d9b6f8cf09
SHA2561b10943d9ae72b220ebd5070e075d8d2a1ba6f8994bc8fc87b612251b2a58a5a
SHA51214719f77cb73800bc33f6ad62182c324e26c0b3aeb76eda2f9e231c152140d136f2bc4497206585aef96e42b017d78857294778ed378d1e91b70124013a53263
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\RESCDEB.tmpMD5
93b07b12405f3f9c08e549ace28af46b
SHA1634aa98006caf55ab5473ea4820809d39b217a8f
SHA2564116cdf0872fa334f5a11a1aa05b586a8a748b51811e718a601ef839f9fe1c10
SHA5122be174232ae41b81eaf54821785c0933c8f659bb1db9656f5091ac72961d5d0714fc0fc891f1229af708ee3461f99e1ff5b71064cb92547405e3ea4deff38828
-
C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1MD5
841cc93778b4ec353d0075d717b90df4
SHA1287f652b7be199d127aab4655055654a6ea2bed6
SHA25677f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541
-
C:\Users\Admin\AppData\Local\Temp\ready.ps1MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
\??\c:\Users\Admin\AppData\Local\Temp\4bzrxrfa\4bzrxrfa.0.csMD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
\??\c:\Users\Admin\AppData\Local\Temp\4bzrxrfa\4bzrxrfa.cmdlineMD5
495da94267224d7dcbf01a8730ce69d8
SHA19d1d503ccecdeab328cf7882d91cc8dfed7bbe19
SHA256a82a231d5ff4e2b6b94bf462fab7e5ac7b1785af02dabc74eb400d76f5052394
SHA512a32e5b05821d99bde6423fb42f7cc5acbd093874d04d8be404050a0d0a061ccf9e7692ab6d4f2ff4a21b7961a6b4f10101dc8ed47bf087e6803705e13dfe77c7
-
\??\c:\Users\Admin\AppData\Local\Temp\4bzrxrfa\CSCA7D2E8B1D5149C982482F4C19A178C0.TMPMD5
77df7355c26ce04414eb6f5bfd846e31
SHA1f17292b1b216b694303996e029be34f11c0b354f
SHA256ac05cf45cb748fc7a8d7c1c4a0213718efbdbd0b92321b6cbe4104e4140643bf
SHA512a57b3721fa5bc6f744aaf5fbea27c41d3f25ba0390a40ac1747e8e7f467d8d5a47da30216e76fa0a041818b333d54e0a0a16dcc6c4b7b2d85d2bb9fc448d5e65
-
\ProgramData\mozglue.dllMD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
\ProgramData\nss3.dllMD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
memory/64-1036-0x0000000000000000-mapping.dmp
-
memory/368-1035-0x0000000000000000-mapping.dmp
-
memory/704-1037-0x0000000000000000-mapping.dmp
-
memory/896-1042-0x0000000000000000-mapping.dmp
-
memory/1088-144-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/1088-146-0x0000000005280000-0x000000000567F000-memory.dmpFilesize
4.0MB
-
memory/1088-137-0x000000000040330C-mapping.dmp
-
memory/1088-154-0x0000000002AD4000-0x0000000002AD5000-memory.dmpFilesize
4KB
-
memory/1088-141-0x0000000000700000-0x0000000000B0B000-memory.dmpFilesize
4.0MB
-
memory/1088-152-0x0000000005890000-0x0000000005891000-memory.dmpFilesize
4KB
-
memory/1088-151-0x0000000002AD3000-0x0000000002AD4000-memory.dmpFilesize
4KB
-
memory/1088-149-0x0000000002AD0000-0x0000000002AD1000-memory.dmpFilesize
4KB
-
memory/1088-150-0x0000000002AD2000-0x0000000002AD3000-memory.dmpFilesize
4KB
-
memory/1608-1059-0x0000000000000000-mapping.dmp
-
memory/1620-1040-0x0000000000000000-mapping.dmp
-
memory/1884-1031-0x0000000000000000-mapping.dmp
-
memory/1892-1060-0x0000000000000000-mapping.dmp
-
memory/2324-115-0x00000000018E9000-0x0000000001966000-memory.dmpFilesize
500KB
-
memory/2324-116-0x0000000003470000-0x0000000003546000-memory.dmpFilesize
856KB
-
memory/2324-117-0x0000000000400000-0x0000000001729000-memory.dmpFilesize
19.2MB
-
memory/2800-168-0x0000000008820000-0x0000000008821000-memory.dmpFilesize
4KB
-
memory/2800-185-0x00000000051A3000-0x00000000051A4000-memory.dmpFilesize
4KB
-
memory/2800-160-0x0000000007730000-0x0000000007731000-memory.dmpFilesize
4KB
-
memory/2800-161-0x0000000008030000-0x0000000008031000-memory.dmpFilesize
4KB
-
memory/2800-163-0x0000000008130000-0x0000000008131000-memory.dmpFilesize
4KB
-
memory/2800-164-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/2800-165-0x00000000051A2000-0x00000000051A3000-memory.dmpFilesize
4KB
-
memory/2800-166-0x0000000007EE0000-0x0000000007EE1000-memory.dmpFilesize
4KB
-
memory/2800-167-0x0000000008540000-0x0000000008541000-memory.dmpFilesize
4KB
-
memory/2800-158-0x0000000004FE0000-0x0000000004FE1000-memory.dmpFilesize
4KB
-
memory/2800-157-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/2800-170-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/2800-174-0x0000000009DD0000-0x0000000009DD1000-memory.dmpFilesize
4KB
-
memory/2800-175-0x00000000094E0000-0x00000000094E1000-memory.dmpFilesize
4KB
-
memory/2800-159-0x0000000007820000-0x0000000007821000-memory.dmpFilesize
4KB
-
memory/2800-156-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/2800-155-0x0000000000000000-mapping.dmp
-
memory/2800-1160-0x000000007FA00000-0x000000007FA01000-memory.dmpFilesize
4KB
-
memory/2800-206-0x00000000098C0000-0x00000000098C1000-memory.dmpFilesize
4KB
-
memory/2800-183-0x0000000007330000-0x0000000007331000-memory.dmpFilesize
4KB
-
memory/3276-471-0x0000000000FD0000-0x0000000000FD1000-memory.dmpFilesize
4KB
-
memory/3276-498-0x000000007F7D0000-0x000000007F7D1000-memory.dmpFilesize
4KB
-
memory/3276-472-0x0000000000FD2000-0x0000000000FD3000-memory.dmpFilesize
4KB
-
memory/3276-462-0x0000000000000000-mapping.dmp
-
memory/3280-822-0x000000007F560000-0x000000007F561000-memory.dmpFilesize
4KB
-
memory/3280-727-0x0000000005172000-0x0000000005173000-memory.dmpFilesize
4KB
-
memory/3280-726-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB
-
memory/3280-713-0x0000000000000000-mapping.dmp
-
memory/3380-1041-0x0000000000000000-mapping.dmp
-
memory/3448-1039-0x0000000000000000-mapping.dmp
-
memory/4048-994-0x0000000000000000-mapping.dmp
-
memory/4248-176-0x0000000000000000-mapping.dmp
-
memory/4464-120-0x0000000000000000-mapping.dmp
-
memory/4464-134-0x0000000009780000-0x000000000978B000-memory.dmpFilesize
44KB
-
memory/4464-123-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/4464-133-0x00000000061D1000-0x00000000061D2000-memory.dmpFilesize
4KB
-
memory/4464-128-0x0000000006090000-0x0000000006091000-memory.dmpFilesize
4KB
-
memory/4464-135-0x00000000097E0000-0x00000000097E1000-memory.dmpFilesize
4KB
-
memory/4464-131-0x0000000006CA0000-0x0000000006CA1000-memory.dmpFilesize
4KB
-
memory/4464-127-0x00000000057D0000-0x00000000057D1000-memory.dmpFilesize
4KB
-
memory/4464-126-0x0000000005730000-0x0000000005731000-memory.dmpFilesize
4KB
-
memory/4464-132-0x0000000006C60000-0x0000000006C61000-memory.dmpFilesize
4KB
-
memory/4464-125-0x0000000005B90000-0x0000000005B91000-memory.dmpFilesize
4KB
-
memory/4464-130-0x0000000006C00000-0x0000000006C21000-memory.dmpFilesize
132KB
-
memory/4464-129-0x00000000061D0000-0x00000000061D1000-memory.dmpFilesize
4KB
-
memory/4924-179-0x0000000000000000-mapping.dmp
-
memory/4936-1038-0x0000000000000000-mapping.dmp
-
memory/5012-209-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/5012-309-0x000000007E290000-0x000000007E291000-memory.dmpFilesize
4KB
-
memory/5012-217-0x0000000006FA2000-0x0000000006FA3000-memory.dmpFilesize
4KB
-
memory/5012-216-0x0000000006FA0000-0x0000000006FA1000-memory.dmpFilesize
4KB
-
memory/5012-208-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/5012-207-0x0000000000000000-mapping.dmp
-
memory/5044-993-0x0000000000000000-mapping.dmp
-
memory/5052-1032-0x0000000000000000-mapping.dmp
-
memory/5112-992-0x0000000000000000-mapping.dmp