Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
15-02-2022 06:13
Static task
static1
Behavioral task
behavioral1
Sample
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe
-
Size
675KB
-
MD5
cef76d7fba522e19ac03269b6275ff3f
-
SHA1
81cbb61d06fcd512081a5dac97a7865d98d7a22b
-
SHA256
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d
-
SHA512
e4728e26ab451ec452fbb5b61fbc7efe4c7e3c138cb91ed2a4bb75a339bf2ee1cdee9f7fa0c03fb398fea3c6dd87c5075bff0095b6e55811198865550bdab33a
Malware Config
Extracted
Family
vidar
Version
48.1
Botnet
937
C2
https://koyu.space/@rspich
Attributes
-
profile_id
937
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmp family_vidar behavioral1/memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2044 1148 WerFault.exe c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
WerFault.exepid process 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe 2044 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2044 WerFault.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exedescription pid process target process PID 1148 wrote to memory of 2044 1148 c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe WerFault.exe PID 1148 wrote to memory of 2044 1148 c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe WerFault.exe PID 1148 wrote to memory of 2044 1148 c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe WerFault.exe PID 1148 wrote to memory of 2044 1148 c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe"C:\Users\Admin\AppData\Local\Temp\c7ad7dc565687b2fe2b2652ffbd135188acb4eef29c2e0d72a116bd988c1e40d.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 13642⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1148-55-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB
-
memory/1148-56-0x0000000000310000-0x000000000038B000-memory.dmpFilesize
492KB
-
memory/1148-57-0x00000000004E0000-0x00000000005B5000-memory.dmpFilesize
852KB
-
memory/1148-58-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2044-59-0x0000000000210000-0x0000000000211000-memory.dmpFilesize
4KB