Analysis
-
max time kernel
193s -
max time network
226s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:40
General
-
Target
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe
-
Size
2.0MB
-
MD5
71315e1101ebeb067568689f64b5fe2a
-
SHA1
678e2e1d963d34cbfb597fe2a8327d1f53b2606c
-
SHA256
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2
-
SHA512
e8d0ba61e10ce23f6289cfbf42bb867dc2d1baf4e5eeefc00a2c61b0486a25f1e7aad9e3adfb0c2f48a59156fa89956aaf9219f581fa55a91c9220e4cb6a89c7
Malware Config
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Kills process with taskkill 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\RWOJNPOJPL3U252⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f & erase C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2992-130-0x00000000778B0000-0x0000000077A53000-memory.dmpFilesize
1.6MB
-
memory/2992-131-0x0000000000400000-0x00000000008F0000-memory.dmpFilesize
4.9MB
-
memory/3896-134-0x0000000000000000-mapping.dmp
-
memory/4508-132-0x0000000000000000-mapping.dmp
-
memory/4608-133-0x0000000000000000-mapping.dmp