Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 03:04
Static task
static1
Behavioral task
behavioral1
Sample
27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe
Resource
win7-20220414-en
General
-
Target
27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe
-
Size
611KB
-
MD5
8c0ce9d5caf531a0039d4ed5505d9710
-
SHA1
fa91478a0047c6468a60ada42fc96798da5c37a9
-
SHA256
27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9
-
SHA512
bf9255bd61a71f26a9b35b14580eb4561b5f70af6126898f31eb5b101cd3cd7033c2a5ca757bd85964daaa7bb32d7bc68c3a5e9be7e7843c03d87fcd896e0836
Malware Config
Extracted
vidar
5
212
http://kolobkoproms.ug/
-
profile_id
212
Signatures
-
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Vidar log file 1 IoCs
Detects a log file produced by Vidar.
yara_rule vidar_log_file -
Vidar Stealer 2 IoCs
resource yara_rule behavioral2/memory/2908-141-0x0000000000400000-0x00000000004AC000-memory.dmp family_vidar behavioral2/memory/2908-143-0x0000000000400000-0x00000000004AC000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
pid Process 2908 uninstaller_2019-01-15_00-11.exe 5100 PQwick.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\CompanySmartApp\SmartApp\PQwick.exe 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe File opened for modification C:\Program Files (x86)\CompanySmartApp\SmartApp\uninstaller_2019-01-15_00-11.exe 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 uninstaller_2019-01-15_00-11.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString uninstaller_2019-01-15_00-11.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe 2908 uninstaller_2019-01-15_00-11.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2908 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 78 PID 1956 wrote to memory of 2908 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 78 PID 1956 wrote to memory of 2908 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 78 PID 1956 wrote to memory of 5100 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 79 PID 1956 wrote to memory of 5100 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 79 PID 1956 wrote to memory of 5100 1956 27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe 79
Processes
-
C:\Users\Admin\AppData\Local\Temp\27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe"C:\Users\Admin\AppData\Local\Temp\27dcc564f8046d08fc9f5e359b020c42870a3e110349bc9f21bc8860b262a3b9.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Program Files (x86)\CompanySmartApp\SmartApp\uninstaller_2019-01-15_00-11.exe"C:\Program Files (x86)\CompanySmartApp\SmartApp\uninstaller_2019-01-15_00-11.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2908
-
-
C:\Program Files (x86)\CompanySmartApp\SmartApp\PQwick.exe"C:\Program Files (x86)\CompanySmartApp\SmartApp\PQwick.exe"2⤵
- Executes dropped EXE
PID:5100
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD59f1bfbaa1847fd86468110641203177d
SHA120a9bce11a93fe34a41867c7a9a8690c47f63a7d
SHA256fdc58112eee9720dcf14aa82864ed103c927059350e09c58ed82b40d31c9b04d
SHA5123fa28e51ae3c856b866ea6c720377a33b1651aeaba74c7fbe9a585ba248a5696d8dd36a6f4182ad38d2eb4afcf35362cb4dbe3a7d6591c21e5d944a4c8404134
-
Filesize
9KB
MD59f1bfbaa1847fd86468110641203177d
SHA120a9bce11a93fe34a41867c7a9a8690c47f63a7d
SHA256fdc58112eee9720dcf14aa82864ed103c927059350e09c58ed82b40d31c9b04d
SHA5123fa28e51ae3c856b866ea6c720377a33b1651aeaba74c7fbe9a585ba248a5696d8dd36a6f4182ad38d2eb4afcf35362cb4dbe3a7d6591c21e5d944a4c8404134
-
Filesize
655KB
MD5065400d837304643618e73761198566b
SHA1c236aa043d6acaf5c60d3557a8228b4874069666
SHA256f7cdc62d7a8a01e78cc33700d0ad32eb20e8bc6cfc3cfe252a6ad973b626db76
SHA51254cccda36859c79071aa46c05727f6db9ca8424b11465b155bb847e20f0333de7195b9ca22d1560c788ba5458b6a8141cf8012057da8a047a97446e62efe259a
-
Filesize
655KB
MD5065400d837304643618e73761198566b
SHA1c236aa043d6acaf5c60d3557a8228b4874069666
SHA256f7cdc62d7a8a01e78cc33700d0ad32eb20e8bc6cfc3cfe252a6ad973b626db76
SHA51254cccda36859c79071aa46c05727f6db9ca8424b11465b155bb847e20f0333de7195b9ca22d1560c788ba5458b6a8141cf8012057da8a047a97446e62efe259a