Analysis
-
max time kernel
4294180s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
21-03-2022 16:39
Static task
static1
Behavioral task
behavioral1
Sample
d790fed581ba982731fc4257763d93b2.exe
Resource
win7-20220311-en
windows7_x64
0 signatures
0 seconds
General
-
Target
d790fed581ba982731fc4257763d93b2.exe
-
Size
1.9MB
-
MD5
d790fed581ba982731fc4257763d93b2
-
SHA1
f91dbf1e6e81b266a1cfa1fe307fcd3b9d491b27
-
SHA256
aebfbaf72b832cf446789cedf82459f71587f48b2d44998d64215fafaf4b5fb6
-
SHA512
a207b39908c480c25c7d33b56ed6b6f6a3c16ff5624d12537bac6972a847ae7cb82736b5d52dcae25e36494e6144309101e177fde5a2c42bc23ae59dd4c150b1
Malware Config
Extracted
Family
vidar
Version
50.8
Botnet
909
C2
https://ieji.de/@sam7al
https://ru.social/@s4m74l
Attributes
-
profile_id
909
Signatures
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/1096-66-0x0000000000400000-0x00000000004B1000-memory.dmp family_vidar behavioral1/memory/1096-68-0x0000000000400000-0x00000000004B1000-memory.dmp family_vidar behavioral1/memory/1096-70-0x0000000000400000-0x00000000004B1000-memory.dmp family_vidar behavioral1/memory/1096-72-0x0000000000400000-0x00000000004B1000-memory.dmp family_vidar behavioral1/memory/1096-75-0x0000000000400000-0x00000000004B1000-memory.dmp family_vidar -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d790fed581ba982731fc4257763d93b2.exedescription pid process target process PID 1636 set thread context of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1196 1096 WerFault.exe mspaint.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
d790fed581ba982731fc4257763d93b2.exepid process 1636 d790fed581ba982731fc4257763d93b2.exe 1636 d790fed581ba982731fc4257763d93b2.exe 1636 d790fed581ba982731fc4257763d93b2.exe 1636 d790fed581ba982731fc4257763d93b2.exe 1636 d790fed581ba982731fc4257763d93b2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d790fed581ba982731fc4257763d93b2.exedescription pid process Token: SeDebugPrivilege 1636 d790fed581ba982731fc4257763d93b2.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
d790fed581ba982731fc4257763d93b2.exemspaint.exedescription pid process target process PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1636 wrote to memory of 1096 1636 d790fed581ba982731fc4257763d93b2.exe mspaint.exe PID 1096 wrote to memory of 1196 1096 mspaint.exe WerFault.exe PID 1096 wrote to memory of 1196 1096 mspaint.exe WerFault.exe PID 1096 wrote to memory of 1196 1096 mspaint.exe WerFault.exe PID 1096 wrote to memory of 1196 1096 mspaint.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d790fed581ba982731fc4257763d93b2.exe"C:\Users\Admin\AppData\Local\Temp\d790fed581ba982731fc4257763d93b2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mspaint.exe"C:\Windows\SysWOW64\mspaint.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 1563⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1096-66-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-68-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-75-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-74-0x00000000755A1000-0x00000000755A3000-memory.dmpFilesize
8KB
-
memory/1096-72-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-70-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-62-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-64-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1096-60-0x0000000000400000-0x00000000004B1000-memory.dmpFilesize
708KB
-
memory/1636-54-0x0000000001070000-0x000000000125E000-memory.dmpFilesize
1.9MB
-
memory/1636-55-0x0000000074540000-0x0000000074C2E000-memory.dmpFilesize
6.9MB
-
memory/1636-59-0x0000000000980000-0x0000000000994000-memory.dmpFilesize
80KB
-
memory/1636-58-0x0000000004A45000-0x0000000004A56000-memory.dmpFilesize
68KB
-
memory/1636-57-0x0000000005030000-0x000000000512E000-memory.dmpFilesize
1016KB
-
memory/1636-56-0x0000000004A40000-0x0000000004A41000-memory.dmpFilesize
4KB