Analysis
-
max time kernel
4294199s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
24-03-2022 18:54
Static task
static1
Behavioral task
behavioral1
Sample
02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe
Resource
win7-20220310-en
General
-
Target
02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe
-
Size
484KB
-
MD5
32eee49a755cb1b32bc9d713d8c7decd
-
SHA1
5d597f46e31d88959062952eeee1f77ac4b4b100
-
SHA256
02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9
-
SHA512
fbe31889ff8d31686e4f28112769b9f7ace526a1422be3d78424f29bc2ef3da11147baa8f85ec190892d5407fe340f373c1db81743c90cbd186315425ed49539
Malware Config
Extracted
vidar
35
754
http://worstyear2020.com/
-
profile_id
754
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1988-57-0x00000000002B0000-0x0000000000336000-memory.dmp family_vidar behavioral1/memory/1988-58-0x0000000000400000-0x0000000000524000-memory.dmp family_vidar -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exepid process 1988 02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe 1988 02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe 1988 02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe"C:\Users\Admin\AppData\Local\Temp\02303a665b7c5e81aaac34d2ff0f98c2da777f6e582603c526536da7d0dd12c9.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1988-54-0x00000000005C8000-0x000000000061E000-memory.dmpFilesize
344KB
-
memory/1988-55-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB
-
memory/1988-56-0x00000000005C8000-0x000000000061E000-memory.dmpFilesize
344KB
-
memory/1988-57-0x00000000002B0000-0x0000000000336000-memory.dmpFilesize
536KB
-
memory/1988-58-0x0000000000400000-0x0000000000524000-memory.dmpFilesize
1.1MB