Analysis
-
max time kernel
119s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
17-11-2021 12:19
Static task
static1
General
-
Target
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe
-
Size
2.2MB
-
MD5
c6c28e719c1ab67000be15581f6dafff
-
SHA1
52b01bdb3b1c0c36ec6d191852e967c02fd48a2d
-
SHA256
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980
-
SHA512
b9143e859ba72e8cd50f329248a43e8d3ba74c540906a128223e6aec4d3830aed98fb139bc2b98ae5da7fd5100e543af7ab7d8d5fd55954ef9502cf305ec9ada
Malware Config
Extracted
vidar
48.6
869
https://mastodon.online/@valhalla
https://koyu.space/@valhalla
-
profile_id
869
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2720-116-0x0000000002A60000-0x0000000002B37000-memory.dmp family_vidar behavioral1/memory/2720-117-0x0000000000400000-0x0000000000638000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Loads dropped DLL 2 IoCs
Processes:
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exepid process 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3312 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3812 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exepid process 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3812 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.execmd.exedescription pid process target process PID 2720 wrote to memory of 864 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe cmd.exe PID 2720 wrote to memory of 864 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe cmd.exe PID 2720 wrote to memory of 864 2720 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe cmd.exe PID 864 wrote to memory of 3812 864 cmd.exe taskkill.exe PID 864 wrote to memory of 3812 864 cmd.exe taskkill.exe PID 864 wrote to memory of 3812 864 cmd.exe taskkill.exe PID 864 wrote to memory of 3312 864 cmd.exe timeout.exe PID 864 wrote to memory of 3312 864 cmd.exe timeout.exe PID 864 wrote to memory of 3312 864 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe"C:\Users\Admin\AppData\Local\Temp\5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe" & del C:\ProgramData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 5c7fc960d3e00ab148e991b9be2137a0b0565c1d32f30fe91c3d894647f33980.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:3312
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef2834ac4ee7d6724f255beaf527e635
SHA15be8c1e73a21b49f353c2ecfa4108e43a883cb7b
SHA256a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
SHA512c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
-
MD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
MD5
109f0f02fd37c84bfc7508d4227d7ed5
SHA1ef7420141bb15ac334d3964082361a460bfdb975
SHA256334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4
SHA51246eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39
-
MD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
MD5
a2ee53de9167bf0d6c019303b7ca84e5
SHA12a3c737fa1157e8483815e98b666408a18c0db42
SHA25643536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083
SHA51245b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8
-
MD5
7587bf9cb4147022cd5681b015183046
SHA1f2106306a8f6f0da5afb7fc765cfa0757ad5a628
SHA256c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d
SHA5120b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f
-
MD5
8f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
MD5
bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66