Analysis
-
max time kernel
193s -
max time network
226s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 04:40
Static task
static1
Behavioral task
behavioral1
Sample
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe
Resource
win7-20220414-en
General
-
Target
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe
-
Size
2.0MB
-
MD5
71315e1101ebeb067568689f64b5fe2a
-
SHA1
678e2e1d963d34cbfb597fe2a8327d1f53b2606c
-
SHA256
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2
-
SHA512
e8d0ba61e10ce23f6289cfbf42bb867dc2d1baf4e5eeefc00a2c61b0486a25f1e7aad9e3adfb0c2f48a59156fa89956aaf9219f581fa55a91c9220e4cb6a89c7
Malware Config
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2992-131-0x0000000000400000-0x00000000008F0000-memory.dmp family_vidar -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exepid process 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 3896 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exepid process 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 3896 taskkill.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.execmd.exedescription pid process target process PID 2992 wrote to memory of 4508 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2992 wrote to memory of 4508 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2992 wrote to memory of 4508 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2992 wrote to memory of 4608 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2992 wrote to memory of 4608 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 2992 wrote to memory of 4608 2992 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe cmd.exe PID 4608 wrote to memory of 3896 4608 cmd.exe taskkill.exe PID 4608 wrote to memory of 3896 4608 cmd.exe taskkill.exe PID 4608 wrote to memory of 3896 4608 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\RWOJNPOJPL3U252⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f & erase C:\Users\Admin\AppData\Local\Temp\0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 0d1cfaf10eb9e05a1376c7c85b14bc65570e0278978d70194232026ec2f986f2.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2992-130-0x00000000778B0000-0x0000000077A53000-memory.dmpFilesize
1.6MB
-
memory/2992-131-0x0000000000400000-0x00000000008F0000-memory.dmpFilesize
4.9MB
-
memory/3896-134-0x0000000000000000-mapping.dmp
-
memory/4508-132-0x0000000000000000-mapping.dmp
-
memory/4608-133-0x0000000000000000-mapping.dmp