Analysis
-
max time kernel
162s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
15-02-2022 12:09
Static task
static1
Behavioral task
behavioral1
Sample
782cebd33e7cc06a65d9869c356ce9fe15d6456f7e1753442c9c1229652c2799.exe
Resource
win7-en-20211208
windows7_x64
0 signatures
0 seconds
General
-
Target
782cebd33e7cc06a65d9869c356ce9fe15d6456f7e1753442c9c1229652c2799.exe
-
Size
607KB
-
MD5
42f0684b2175950eaa2912a87017736d
-
SHA1
0a6bdbf0add85eecee43c75d5af30a39289fa275
-
SHA256
782cebd33e7cc06a65d9869c356ce9fe15d6456f7e1753442c9c1229652c2799
-
SHA512
3e155363ca7746f4042c49d3bde7c3427d1099ba0e15ad4649ffc542377d4e5113d8616d30b66320bd086cb6ac9fd0a7ac43a98644aec4522765f0e4193ac8b7
Malware Config
Extracted
Family
vidar
Version
48.7
Botnet
937
C2
https://mstdn.social/@anapa
https://mastodon.social/@mniami
Attributes
-
profile_id
937
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3608-131-0x00000000022C0000-0x0000000002395000-memory.dmp family_vidar behavioral2/memory/3608-132-0x0000000000400000-0x00000000004D8000-memory.dmp family_vidar -
Drops file in Windows directory 8 IoCs
Processes:
TiWorker.exesvchost.exedescription ioc process File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeTiWorker.exedescription pid process Token: SeShutdownPrivilege 3616 svchost.exe Token: SeCreatePagefilePrivilege 3616 svchost.exe Token: SeShutdownPrivilege 3616 svchost.exe Token: SeCreatePagefilePrivilege 3616 svchost.exe Token: SeShutdownPrivilege 3616 svchost.exe Token: SeCreatePagefilePrivilege 3616 svchost.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe Token: SeRestorePrivilege 5036 TiWorker.exe Token: SeSecurityPrivilege 5036 TiWorker.exe Token: SeBackupPrivilege 5036 TiWorker.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\782cebd33e7cc06a65d9869c356ce9fe15d6456f7e1753442c9c1229652c2799.exe"C:\Users\Admin\AppData\Local\Temp\782cebd33e7cc06a65d9869c356ce9fe15d6456f7e1753442c9c1229652c2799.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3608-130-0x0000000002240000-0x00000000022BB000-memory.dmpFilesize
492KB
-
memory/3608-131-0x00000000022C0000-0x0000000002395000-memory.dmpFilesize
852KB
-
memory/3608-132-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3616-133-0x0000019415820000-0x0000019415830000-memory.dmpFilesize
64KB
-
memory/3616-134-0x0000019415880000-0x0000019415890000-memory.dmpFilesize
64KB
-
memory/3616-135-0x0000019417F50000-0x0000019417F54000-memory.dmpFilesize
16KB