Analysis
-
max time kernel
44s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
20-05-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe
Resource
win7-20220414-en
General
-
Target
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe
-
Size
2.0MB
-
MD5
71315e1101ebeb067568689f64b5fe2a
-
SHA1
678e2e1d963d34cbfb597fe2a8327d1f53b2606c
-
SHA256
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2
-
SHA512
e8d0ba61e10ce23f6289cfbf42bb867dc2d1baf4e5eeefc00a2c61b0486a25f1e7aad9e3adfb0c2f48a59156fa89956aaf9219f581fa55a91c9220e4cb6a89c7
Malware Config
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1296-56-0x0000000000400000-0x00000000008F0000-memory.dmp family_vidar -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2020 cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Wine 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exepid process 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1036 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exepid process 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1036 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.execmd.exedescription pid process target process PID 1296 wrote to memory of 1520 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 1520 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 1520 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 1520 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 2020 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 2020 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 2020 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 1296 wrote to memory of 2020 1296 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2020 wrote to memory of 1036 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1036 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1036 2020 cmd.exe taskkill.exe PID 2020 wrote to memory of 1036 2020 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\RQD278J06E1NBX2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f & erase C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1036-59-0x0000000000000000-mapping.dmp
-
memory/1296-54-0x0000000075741000-0x0000000075743000-memory.dmpFilesize
8KB
-
memory/1296-55-0x0000000077C70000-0x0000000077DF0000-memory.dmpFilesize
1.5MB
-
memory/1296-56-0x0000000000400000-0x00000000008F0000-memory.dmpFilesize
4.9MB
-
memory/1520-57-0x0000000000000000-mapping.dmp
-
memory/2020-58-0x0000000000000000-mapping.dmp