Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
26-10-2021 05:12
Static task
static1
Behavioral task
behavioral1
Sample
41ed34b70460e1eb3b561fbc89b65052.exe
Resource
win7-en-20210920
General
-
Target
41ed34b70460e1eb3b561fbc89b65052.exe
-
Size
567KB
-
MD5
41ed34b70460e1eb3b561fbc89b65052
-
SHA1
a5def1d5bf16265f8a828dd4b1e9c2deede4e3c1
-
SHA256
22d5d59d54369797b47fb086e329d72d65f98bd679977370ddb24118815f311b
-
SHA512
03cc6e74afc17bfbc54d9284d84c3b0d33f1d615cd7214aa6fabddb42579e30d9117aeaa88c3e8fdb56a9d6438eb1fdd7c00af9c0ebb730619ee19b6f34dbf60
Malware Config
Extracted
vidar
41.5
921
https://mas.to/@xeroxxx
-
profile_id
921
Signatures
-
Vidar Stealer 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\build.exe family_vidar C:\Users\Admin\AppData\Local\Temp\build.exe family_vidar \Users\Admin\AppData\Local\Temp\build.exe family_vidar \Users\Admin\AppData\Local\Temp\build.exe family_vidar \Users\Admin\AppData\Local\Temp\build.exe family_vidar \Users\Admin\AppData\Local\Temp\build.exe family_vidar -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 1400 build.exe -
Loads dropped DLL 4 IoCs
Processes:
WerFault.exepid process 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1660 1400 WerFault.exe build.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe 1660 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1660 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 1660 WerFault.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
41ed34b70460e1eb3b561fbc89b65052.exebuild.exedescription pid process target process PID 1624 wrote to memory of 1400 1624 41ed34b70460e1eb3b561fbc89b65052.exe build.exe PID 1624 wrote to memory of 1400 1624 41ed34b70460e1eb3b561fbc89b65052.exe build.exe PID 1624 wrote to memory of 1400 1624 41ed34b70460e1eb3b561fbc89b65052.exe build.exe PID 1624 wrote to memory of 1400 1624 41ed34b70460e1eb3b561fbc89b65052.exe build.exe PID 1400 wrote to memory of 1660 1400 build.exe WerFault.exe PID 1400 wrote to memory of 1660 1400 build.exe WerFault.exe PID 1400 wrote to memory of 1660 1400 build.exe WerFault.exe PID 1400 wrote to memory of 1660 1400 build.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41ed34b70460e1eb3b561fbc89b65052.exe"C:\Users\Admin\AppData\Local\Temp\41ed34b70460e1eb3b561fbc89b65052.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\build.exe"C:\Users\Admin\AppData\Local\Temp\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1400 -s 8643⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
C:\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
\Users\Admin\AppData\Local\Temp\build.exeMD5
eafba1017e94765780d8a5b182d4c325
SHA17968d32aa44d2c66dc670841d86ef8dba376128f
SHA2560d50080d7267c71894ccfd698c1ef6369cf2b1b182f903c6b8cbab8e1fb524e3
SHA51231ff0f70cafc20e71cbe4e574b4c1460dbb77e85815339bbe191b41c771da1faa201f5fc95ab10a9b8e707df590431060e7c9d7cb8c15bd275523e1d78be2aaa
-
memory/1400-61-0x0000000076B61000-0x0000000076B63000-memory.dmpFilesize
8KB
-
memory/1400-59-0x0000000000000000-mapping.dmp
-
memory/1624-54-0x000000013F530000-0x000000013F531000-memory.dmpFilesize
4KB
-
memory/1624-58-0x0000000002420000-0x0000000002422000-memory.dmpFilesize
8KB
-
memory/1624-57-0x000000001B560000-0x000000001B5D8000-memory.dmpFilesize
480KB
-
memory/1624-56-0x0000000002570000-0x00000000026AD000-memory.dmpFilesize
1.2MB
-
memory/1660-62-0x0000000000000000-mapping.dmp
-
memory/1660-68-0x0000000000300000-0x0000000000301000-memory.dmpFilesize
4KB