Overview
overview
10Static
static
10appconsole.exe
windows7_x64
10appconsole.exe
windows10-2004_x64
10azorult.exe
windows7_x64
10azorult.exe
windows10-2004_x64
10clipper.exe
windows7_x64
1clipper.exe
windows10-2004_x64
1jester_stealer.exe
windows7_x64
10jester_stealer.exe
windows10-2004_x64
10lokibot.exe
windows7_x64
10lokibot.exe
windows10-2004_x64
10pony.exe
windows7_x64
10pony.exe
windows10-2004_x64
10raccoon.exe
windows7_x64
10raccoon.exe
windows10-2004_x64
10redline.exe
windows7_x64
10redline.exe
windows10-2004_x64
10tesla.exe
windows7_x64
10tesla.exe
windows10-2004_x64
10vidar.xll
windows7_x64
7vidar.xll
windows10-2004_x64
10Analysis
-
max time kernel
511s -
max time network
514s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28-04-2022 07:35
Static task
static1
Behavioral task
behavioral1
Sample
appconsole.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
appconsole.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral3
Sample
azorult.exe
Resource
win7-20220414-en
Behavioral task
behavioral4
Sample
azorult.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral5
Sample
clipper.exe
Resource
win7-20220414-en
Behavioral task
behavioral6
Sample
clipper.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral7
Sample
jester_stealer.exe
Resource
win7-20220414-en
Behavioral task
behavioral8
Sample
jester_stealer.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral9
Sample
lokibot.exe
Resource
win7-20220414-en
Behavioral task
behavioral10
Sample
lokibot.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral11
Sample
pony.exe
Resource
win7-20220414-en
Behavioral task
behavioral12
Sample
pony.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral13
Sample
raccoon.exe
Resource
win7-20220414-en
Behavioral task
behavioral14
Sample
raccoon.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral15
Sample
redline.exe
Resource
win7-20220414-en
Behavioral task
behavioral16
Sample
redline.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral17
Sample
tesla.exe
Resource
win7-20220414-en
Behavioral task
behavioral18
Sample
tesla.exe
Resource
win10v2004-20220414-en
Behavioral task
behavioral19
Sample
vidar.xll
Resource
win7-20220414-en
Behavioral task
behavioral20
Sample
vidar.xll
Resource
win10v2004-20220414-en
General
-
Target
vidar.xll
-
Size
880KB
-
MD5
4ebc548df517cae4c7e3122e9c75ede6
-
SHA1
6e19e1e6f3a7b96cf562c2f6768f92580652d427
-
SHA256
6c67e1ccf77b872b1f3cf257a257d75c4995dc079945080f578b51357ccdbe55
-
SHA512
359be199470a83ad32db555840c5b33a6b69db96cc188d83d550639fe9fe75464529819fdf0cded9d489cb7ba03802667ac373d3ad2a3f7e4069b023c8508290
Malware Config
Extracted
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1108 service.exe 2456 service.exe -
Loads dropped DLL 2 IoCs
pid Process 3272 EXCEL.EXE 3272 EXCEL.EXE -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 2456 1108 service.exe 89 -
Program crash 1 IoCs
pid pid_target Process procid_target 4884 2456 WerFault.exe 89 -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3272 EXCEL.EXE -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1108 service.exe 1108 service.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3272 EXCEL.EXE 3272 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE 3272 EXCEL.EXE -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3272 wrote to memory of 1108 3272 EXCEL.EXE 88 PID 3272 wrote to memory of 1108 3272 EXCEL.EXE 88 PID 3272 wrote to memory of 1108 3272 EXCEL.EXE 88 PID 1108 wrote to memory of 2456 1108 service.exe 89 PID 1108 wrote to memory of 2456 1108 service.exe 89 PID 1108 wrote to memory of 2456 1108 service.exe 89 PID 1108 wrote to memory of 2456 1108 service.exe 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\vidar.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3272 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2456 -s 2044⤵
- Program crash
PID:4884
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2456 -ip 24561⤵PID:4340
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
880KB
MD54ebc548df517cae4c7e3122e9c75ede6
SHA16e19e1e6f3a7b96cf562c2f6768f92580652d427
SHA2566c67e1ccf77b872b1f3cf257a257d75c4995dc079945080f578b51357ccdbe55
SHA512359be199470a83ad32db555840c5b33a6b69db96cc188d83d550639fe9fe75464529819fdf0cded9d489cb7ba03802667ac373d3ad2a3f7e4069b023c8508290
-
Filesize
880KB
MD54ebc548df517cae4c7e3122e9c75ede6
SHA16e19e1e6f3a7b96cf562c2f6768f92580652d427
SHA2566c67e1ccf77b872b1f3cf257a257d75c4995dc079945080f578b51357ccdbe55
SHA512359be199470a83ad32db555840c5b33a6b69db96cc188d83d550639fe9fe75464529819fdf0cded9d489cb7ba03802667ac373d3ad2a3f7e4069b023c8508290
-
Filesize
680KB
MD5c20495a19b01f9258ca23d01933ec47e
SHA11642d96fb066baaa592e6b147e7a40cb49aeb2ba
SHA25661c1436f9b48159b56f1f71561626724682d54e1714ec722c76c3b7667f0cbb7
SHA512b84494e422b2231141836a8ef0bbe04e6fd17c189dcbabacd8b3cbfe9dc5b224dfbefa457fb105f147350b45044e7a0363a101fe008e3610aa066bd379d4ed68
-
Filesize
680KB
MD5c20495a19b01f9258ca23d01933ec47e
SHA11642d96fb066baaa592e6b147e7a40cb49aeb2ba
SHA25661c1436f9b48159b56f1f71561626724682d54e1714ec722c76c3b7667f0cbb7
SHA512b84494e422b2231141836a8ef0bbe04e6fd17c189dcbabacd8b3cbfe9dc5b224dfbefa457fb105f147350b45044e7a0363a101fe008e3610aa066bd379d4ed68
-
Filesize
680KB
MD5c20495a19b01f9258ca23d01933ec47e
SHA11642d96fb066baaa592e6b147e7a40cb49aeb2ba
SHA25661c1436f9b48159b56f1f71561626724682d54e1714ec722c76c3b7667f0cbb7
SHA512b84494e422b2231141836a8ef0bbe04e6fd17c189dcbabacd8b3cbfe9dc5b224dfbefa457fb105f147350b45044e7a0363a101fe008e3610aa066bd379d4ed68