General
Target
Filesize
Completed
Task
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
679KB
15-02-2022 06:38
behavioral2
Score
10/10
MD5
SHA1
SHA256
SHA512
f4a9c73c92501f4ada0ad74830610e11
f5755ba5404a3fc467f850ff2dd01e6d9fd228fd
bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4
7eb7d62d729b2d2dbacd89d6f2a3d94f053ee0336a413fef76effd3a6b445e9f0877c931bfda11ac3624a0bb8ce09268fac4fb637b7d0ea128342a3d9ac80d7c
Malware Config
Extracted
| Family | vidar |
| Version | 48.4 |
| Botnet | 937 |
| C2 |
https://koyu.space/@qmashton |
| Attributes |
profile_id 937 |
Signatures 10
Filter: none
Discovery
-
Suspicious use of NtCreateProcessExOtherParentProcessWerFault.exe
Reported IOCs
description pid process target process PID 1916 created 5080 1916 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe -
Vidar
Description
Vidar is an infostealer based on Arkei stealer.
Tags
-
Vidar Stealer
Tags
Reported IOCs
resource yara_rule behavioral2/memory/5080-131-0x00000000023D0000-0x00000000024A5000-memory.dmp family_vidar behavioral2/memory/5080-132-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Drops file in Windows directorysvchost.exeTiWorker.exe
Reported IOCs
description ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
Program crashWerFault.exe
Reported IOCs
pid pid_target process target process 868 5080 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe -
Checks processor information in registryWerFault.exe
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registryWerFault.exe
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Suspicious behavior: EnumeratesProcessesWerFault.exe
Reported IOCs
pid process 868 WerFault.exe 868 WerFault.exe -
Suspicious use of AdjustPrivilegeTokenWerFault.exesvchost.exeTiWorker.exe
Reported IOCs
description pid process Token: SeRestorePrivilege 868 WerFault.exe Token: SeBackupPrivilege 868 WerFault.exe Token: SeShutdownPrivilege 1404 svchost.exe Token: SeCreatePagefilePrivilege 1404 svchost.exe Token: SeShutdownPrivilege 1404 svchost.exe Token: SeCreatePagefilePrivilege 1404 svchost.exe Token: SeShutdownPrivilege 1404 svchost.exe Token: SeCreatePagefilePrivilege 1404 svchost.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe Token: SeSecurityPrivilege 4680 TiWorker.exe Token: SeBackupPrivilege 4680 TiWorker.exe Token: SeRestorePrivilege 4680 TiWorker.exe -
Suspicious use of WriteProcessMemoryWerFault.exe
Reported IOCs
description pid process target process PID 1916 wrote to memory of 5080 1916 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe PID 1916 wrote to memory of 5080 1916 WerFault.exe bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe
Processes 5
-
C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exePID:5080"C:\Users\Admin\AppData\Local\Temp\bd7eec533b670d12046211475971ef6d32b54c37290f41ba33a4cc6b09a925a4.exe"
-
C:\Windows\SysWOW64\WerFault.exePID:868C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 1008Program crashChecks processor information in registryEnumerates system info in registrySuspicious behavior: EnumeratesProcessesSuspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exePID:1916C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 5080 -ip 5080Suspicious use of NtCreateProcessExOtherParentProcessSuspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exePID:1404C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauservDrops file in Windows directorySuspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exePID:4680C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -EmbeddingDrops file in Windows directorySuspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Collection
Command and Control
Credential Access
Defense Evasion
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Replay Monitor
00:00
00:00
Downloads
-
memory/1404-139-0x000001D6E90B0000-0x000001D6E90B4000-memory.dmp
-
memory/1404-133-0x000001D6E6330000-0x000001D6E637B000-memory.dmp
-
memory/1404-137-0x000001D6E6370000-0x000001D6E6380000-memory.dmp
-
memory/1404-138-0x000001D6E6390000-0x000001D6E63A0000-memory.dmp
-
memory/5080-131-0x00000000023D0000-0x00000000024A5000-memory.dmp
-
memory/5080-132-0x0000000000400000-0x00000000004D8000-memory.dmp
-
memory/5080-130-0x0000000002290000-0x000000000230B000-memory.dmp
Title
Loading data