vidar | d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989

Analysis

max time kernel
4294221s
max time network
178s
platform
windows7_x64
resource
win7-20220310-en
submitted
19-03-2022 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe
Size

8KB
MD5

8e0cb3ec8385850c7dae3859e3e16cc9
SHA1

f199182de1a4eabac1cecb49687c579bac783b6b
SHA256

d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989
SHA512

97a4065ce4a0e42cd3299209cfa48e0dbf0da0715ff4ddff70dda9c38e31c6597210a7fa1c4e52ca8efbd0f9da7afeab2e91f85ce5ae930f6bd19e05d0cd3889

Score

10^/10

vidar stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/1532-89-0x00000000004E0000-0x00000000005B5000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

LzmwAqmV.exechrome.exeSoftwareInstaller2191.exeWorldoffer.exeinst1.exechrome update.exesearch_hyperfs_206.exe

pid process

1564 LzmwAqmV.exe
1744 chrome.exe
852 SoftwareInstaller2191.exe
1532 Worldoffer.exe
820 inst1.exe
568 chrome update.exe
1648 search_hyperfs_206.exe
Loads dropped DLL 8 IoCs

Processes:

LzmwAqmV.exe

pid process

1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
1564 LzmwAqmV.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1564	LzmwAqmV.exe
1744	chrome.exe
852	SoftwareInstaller2191.exe
1532	Worldoffer.exe
820	inst1.exe
568	chrome update.exe
1648	search_hyperfs_206.exe

pid	process
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe
1564	LzmwAqmV.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exechrome.exechrome update.exe

description	pid	process
Token: SeDebugPrivilege	1572	d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe
Token: SeDebugPrivilege	1744	chrome.exe
Token: SeDebugPrivilege	568	chrome update.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exeLzmwAqmV.exe

description	pid	process	target process
PID 1572 wrote to memory of 1564	1572	d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe	LzmwAqmV.exe
PID 1572 wrote to memory of 1564	1572	d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe	LzmwAqmV.exe
PID 1572 wrote to memory of 1564	1572	d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe	LzmwAqmV.exe
PID 1572 wrote to memory of 1564	1572	d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe	LzmwAqmV.exe
PID 1564 wrote to memory of 1744	1564	LzmwAqmV.exe	chrome.exe
PID 1564 wrote to memory of 1744	1564	LzmwAqmV.exe	chrome.exe
PID 1564 wrote to memory of 1744	1564	LzmwAqmV.exe	chrome.exe
PID 1564 wrote to memory of 1744	1564	LzmwAqmV.exe	chrome.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 852	1564	LzmwAqmV.exe	SoftwareInstaller2191.exe
PID 1564 wrote to memory of 1532	1564	LzmwAqmV.exe	Worldoffer.exe
PID 1564 wrote to memory of 1532	1564	LzmwAqmV.exe	Worldoffer.exe
PID 1564 wrote to memory of 1532	1564	LzmwAqmV.exe	Worldoffer.exe
PID 1564 wrote to memory of 1532	1564	LzmwAqmV.exe	Worldoffer.exe
PID 1564 wrote to memory of 820	1564	LzmwAqmV.exe	inst1.exe
PID 1564 wrote to memory of 820	1564	LzmwAqmV.exe	inst1.exe
PID 1564 wrote to memory of 820	1564	LzmwAqmV.exe	inst1.exe
PID 1564 wrote to memory of 820	1564	LzmwAqmV.exe	inst1.exe
PID 1564 wrote to memory of 568	1564	LzmwAqmV.exe	chrome update.exe
PID 1564 wrote to memory of 568	1564	LzmwAqmV.exe	chrome update.exe
PID 1564 wrote to memory of 568	1564	LzmwAqmV.exe	chrome update.exe
PID 1564 wrote to memory of 568	1564	LzmwAqmV.exe	chrome update.exe
PID 1564 wrote to memory of 1648	1564	LzmwAqmV.exe	search_hyperfs_206.exe
PID 1564 wrote to memory of 1648	1564	LzmwAqmV.exe	search_hyperfs_206.exe
PID 1564 wrote to memory of 1648	1564	LzmwAqmV.exe	search_hyperfs_206.exe
PID 1564 wrote to memory of 1648	1564	LzmwAqmV.exe	search_hyperfs_206.exe

C:\Users\Admin\AppData\Local\Temp\d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe
"C:\Users\Admin\AppData\Local\Temp\d41c3b72a7759a814becaa2a49e3290ee6cd957da85a300e37c48658e3ad1989.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\chrome.exe
"C:\Users\Admin\AppData\Local\Temp\chrome.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe"
3⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
"C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe"
3⤵
- Executes dropped EXE
PID:1532

C:\Users\Admin\AppData\Local\Temp\inst1.exe
"C:\Users\Admin\AppData\Local\Temp\inst1.exe"
3⤵
- Executes dropped EXE
PID:820

C:\Users\Admin\AppData\Local\Temp\chrome update.exe
"C:\Users\Admin\AppData\Local\Temp\chrome update.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
3⤵
- Executes dropped EXE
PID:1648

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
3⤵
PID:1480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
4f1db9417e53b38a7e876f873dad6e93

SHA1
4939f732568bd8bef4e08ef4df83162f12584cdd

SHA256
3fa5bcd3452f9ac5c4692f3d6bc97aa870e1e73161beda8f10c1155bd1f27487

SHA512
773a5ff00af9845bfc0f39006212eec05907def360f20e4c8816fed0067b101e99c8d69a7dc359ac126cceea8e0190ec290b7ad42a6f707240b95edf4e81b088

Download Submit
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
MD5
4f1db9417e53b38a7e876f873dad6e93

SHA1
4939f732568bd8bef4e08ef4df83162f12584cdd

SHA256
3fa5bcd3452f9ac5c4692f3d6bc97aa870e1e73161beda8f10c1155bd1f27487

SHA512
773a5ff00af9845bfc0f39006212eec05907def360f20e4c8816fed0067b101e99c8d69a7dc359ac126cceea8e0190ec290b7ad42a6f707240b95edf4e81b088

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
MD5
52889bee8775514810948425fefc87dc

SHA1
c9f99a89c0d411a09266e087ec64532d0aab3662

SHA256
cc578634e357aa83afa588548183f83506119a35dada831d2a00afc27a9b7de7

SHA512
e7bcd8f39ec44e1094e5dbd3351c50b889a12ab9e1be38db5dc00508bd79dd7ebff49590b378c2635e7eeee6a1ec7c33d57980a7b472acf39924eba14586c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
MD5
52889bee8775514810948425fefc87dc

SHA1
c9f99a89c0d411a09266e087ec64532d0aab3662

SHA256
cc578634e357aa83afa588548183f83506119a35dada831d2a00afc27a9b7de7

SHA512
e7bcd8f39ec44e1094e5dbd3351c50b889a12ab9e1be38db5dc00508bd79dd7ebff49590b378c2635e7eeee6a1ec7c33d57980a7b472acf39924eba14586c094

Download Submit
C:\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
7e8d320488f6bf62b6897dbfb180dfbb

SHA1
d6f2a930c00cf942655c3fdc0ca7bc25c6253a8d

SHA256
a31d27a19c731712dced8db96354085502f7607a72bc9659d095b028db5ec13b

SHA512
406f882cb72c75d7ec3f4e4d45e3a62cd2f7b5c25dcb8ebba66561317f12638a1acd79934a9ddf083a0c979e2c6571fda5ce4d9f484f8573bddae02c17550b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome update.exe
MD5
e564aedef8ad08e6c527b78cfc5b4e01

SHA1
074d41078e373d0d1b6485a91f14040eb4755e23

SHA256
86b61831f8aebb7315c6566a6790782a3f341bc66b2f629377273c9fcd29afae

SHA512
b7b0777cfd96c4098b98516c33d37a1f244129b814ae682507bf725cb23eb350a6ab4685f58a9aea623920338a1d4c1d8e538f14fa2048ecc0ea954d21b7c9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome update.exe
MD5
e564aedef8ad08e6c527b78cfc5b4e01

SHA1
074d41078e373d0d1b6485a91f14040eb4755e23

SHA256
86b61831f8aebb7315c6566a6790782a3f341bc66b2f629377273c9fcd29afae

SHA512
b7b0777cfd96c4098b98516c33d37a1f244129b814ae682507bf725cb23eb350a6ab4685f58a9aea623920338a1d4c1d8e538f14fa2048ecc0ea954d21b7c9a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
MD5
b248271e30b2b63030c181d9d70b2bba

SHA1
b2d2e5d20228b33f05d19eb0574cd8889cdce6c9

SHA256
5711be360c092c7162d782d4b77efada964b3b2336f1513e98c172742214c5f5

SHA512
da0a1a8190ee375aa8a047ad483d972f7944535b5a8bec02e6dcb787944abe80410a1fab2dc0a297c7100898b9acc1b5392893846d14b9306314057dc8883e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
MD5
b248271e30b2b63030c181d9d70b2bba

SHA1
b2d2e5d20228b33f05d19eb0574cd8889cdce6c9

SHA256
5711be360c092c7162d782d4b77efada964b3b2336f1513e98c172742214c5f5

SHA512
da0a1a8190ee375aa8a047ad483d972f7944535b5a8bec02e6dcb787944abe80410a1fab2dc0a297c7100898b9acc1b5392893846d14b9306314057dc8883e23

Download Submit
C:\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
\Users\Admin\AppData\Local\Temp\SoftwareInstaller2191.exe
MD5
52889bee8775514810948425fefc87dc

SHA1
c9f99a89c0d411a09266e087ec64532d0aab3662

SHA256
cc578634e357aa83afa588548183f83506119a35dada831d2a00afc27a9b7de7

SHA512
e7bcd8f39ec44e1094e5dbd3351c50b889a12ab9e1be38db5dc00508bd79dd7ebff49590b378c2635e7eeee6a1ec7c33d57980a7b472acf39924eba14586c094

Download Submit
\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
7e8d320488f6bf62b6897dbfb180dfbb

SHA1
d6f2a930c00cf942655c3fdc0ca7bc25c6253a8d

SHA256
a31d27a19c731712dced8db96354085502f7607a72bc9659d095b028db5ec13b

SHA512
406f882cb72c75d7ec3f4e4d45e3a62cd2f7b5c25dcb8ebba66561317f12638a1acd79934a9ddf083a0c979e2c6571fda5ce4d9f484f8573bddae02c17550b94

Download Submit
\Users\Admin\AppData\Local\Temp\Worldoffer.exe
MD5
7e8d320488f6bf62b6897dbfb180dfbb

SHA1
d6f2a930c00cf942655c3fdc0ca7bc25c6253a8d

SHA256
a31d27a19c731712dced8db96354085502f7607a72bc9659d095b028db5ec13b

SHA512
406f882cb72c75d7ec3f4e4d45e3a62cd2f7b5c25dcb8ebba66561317f12638a1acd79934a9ddf083a0c979e2c6571fda5ce4d9f484f8573bddae02c17550b94

Download Submit
\Users\Admin\AppData\Local\Temp\chrome update.exe
MD5
e564aedef8ad08e6c527b78cfc5b4e01

SHA1
074d41078e373d0d1b6485a91f14040eb4755e23

SHA256
86b61831f8aebb7315c6566a6790782a3f341bc66b2f629377273c9fcd29afae

SHA512
b7b0777cfd96c4098b98516c33d37a1f244129b814ae682507bf725cb23eb350a6ab4685f58a9aea623920338a1d4c1d8e538f14fa2048ecc0ea954d21b7c9a4

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
MD5
b248271e30b2b63030c181d9d70b2bba

SHA1
b2d2e5d20228b33f05d19eb0574cd8889cdce6c9

SHA256
5711be360c092c7162d782d4b77efada964b3b2336f1513e98c172742214c5f5

SHA512
da0a1a8190ee375aa8a047ad483d972f7944535b5a8bec02e6dcb787944abe80410a1fab2dc0a297c7100898b9acc1b5392893846d14b9306314057dc8883e23

Download Submit
\Users\Admin\AppData\Local\Temp\inst1.exe
MD5
e5f9bcffdde599dd66c729fe2868e411

SHA1
2990ab84be3b99e687ced6c25c9548c3a0757e25

SHA256
c5099f6b446fcc8fd368148b66879910466a02f84d2975467a43a0e4cac11fe8

SHA512
7965c1b0828835adb171ac2a8a5938fd175aefce43353eb29d124e9cb5e324376c3f6e74528c8e066b3ee67f08bff06b5cbd9072772986713360423276e8a8fa

Download Submit
\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
MD5
dd3f5335f760b949760b02aac1187694

SHA1
f53535bb3093caef66890688e6c214bcb4c51ef9

SHA256
90206625829c37a60ab736cfd7a8ff46f89524123b3246eabeaa77a2126bba26

SHA512
e715b69ca632f51c449a415ef831ed0d7e0160af20a3f79b09cb31bdce8920697c30c5f625851e9418bc087145b7b16deea7cc57c159c331350f1c88e7785004

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
MD5
e2d983220085f0494ff1e8c0b10bcb16

SHA1
5716a56cdc261fcd552b95a4536b17ffd325dbab

SHA256
bf15a11a3211f2bf79558594dd7d86b4116acd6fb0ca26c9fdcfd86be236b6b1

SHA512
9e07a1e371c8e6593628d37fe290e4052a120ec49682c4ff10f78f9af0bd1f736a45ca590f4d6afa892f06544be4bb057825932d4e85ff1c4a64dcee9df2fdb2

Download Submit
memory/568-81-0x0000000000080000-0x0000000000088000-memory.dmp

Filesize
32KB

Download
memory/568-87-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/568-86-0x000007FEF4A60000-0x000007FEF544C000-memory.dmp

Filesize
9.9MB

Download
memory/820-84-0x00000000002C0000-0x00000000002D0000-memory.dmp

Filesize
64KB

Download
memory/820-85-0x00000000002F0000-0x0000000000302000-memory.dmp

Filesize
72KB

Download
memory/852-71-0x00000000013C0000-0x00000000013E8000-memory.dmp

Filesize
160KB

Download
memory/852-75-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/852-91-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1532-89-0x00000000004E0000-0x00000000005B5000-memory.dmp

Filesize
852KB

Download
memory/1532-88-0x0000000000220000-0x000000000029B000-memory.dmp

Filesize
492KB

Download
memory/1564-61-0x0000000076361000-0x0000000076363000-memory.dmp

Filesize
8KB

Download
memory/1564-59-0x00000000746A0000-0x0000000074D8E000-memory.dmp

Filesize
6.9MB

Download
memory/1564-60-0x0000000000A00000-0x0000000000F86000-memory.dmp

Filesize
5.5MB

Download
memory/1572-56-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

Filesize
8KB

Download
memory/1572-54-0x000007FEF5450000-0x000007FEF5E3C000-memory.dmp

Filesize
9.9MB

Download
memory/1572-55-0x0000000000DB0000-0x0000000000DB8000-memory.dmp

Filesize
32KB

Download
memory/1744-66-0x000007FEF4A60000-0x000007FEF544C000-memory.dmp

Filesize
9.9MB

Download
memory/1744-65-0x0000000001370000-0x0000000001378000-memory.dmp

Filesize
32KB

Download
memory/1744-67-0x000000001B260000-0x000000001B262000-memory.dmp

Filesize
8KB

Download