Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220718-en -
resource tags
arch:x64arch:x86image:win10v2004-20220718-enlocale:en-usos:windows10-2004-x64system -
submitted
19-07-2022 19:05
Static task
static1
Behavioral task
behavioral1
Sample
4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
Resource
win7-20220718-en
General
-
Target
4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe
-
Size
1.0MB
-
MD5
595e3b35d8b2e0ccb94f965fe77b3e9b
-
SHA1
b30700d72c12199bb5cba584c077ec37d690e10e
-
SHA256
4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c
-
SHA512
20c24d12fc5dec908df49b52ad4915dff475e05d874575652323d55de014710ea6420b48c6be0edb17606603eda02f763ac2eee7f9fda69b8e74b21b7986a786
Malware Config
Extracted
vidar
4.9
227
http://benediktonpoins.ug/
-
profile_id
227
Signatures
-
KPOT Core Executable 3 IoCs
Processes:
resource yara_rule behavioral2/memory/1176-139-0x0000000000400000-0x0000000000484000-memory.dmp family_kpot behavioral2/memory/3744-141-0x0000000000720000-0x0000000000737000-memory.dmp family_kpot behavioral2/memory/3744-143-0x0000000000720000-0x0000000000737000-memory.dmp family_kpot -
MassLogger
Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.
-
Vidar log file 1 IoCs
Detects a log file produced by Vidar.
Processes:
yara_rule vidar_log_file -
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2228-137-0x0000000000400000-0x00000000004D1000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
5FD8.tmp6027.tmppid process 1176 5FD8.tmp 2228 6027.tmp -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5FD8.tmpdescription pid process target process PID 1176 set thread context of 3744 1176 5FD8.tmp mstsc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
6027.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 6027.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 6027.tmp -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
6027.tmp5FD8.tmpmstsc.exepid process 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 2228 6027.tmp 1176 5FD8.tmp 1176 5FD8.tmp 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe 3744 mstsc.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
AUDIODG.EXE5FD8.tmpmstsc.exedescription pid process Token: 33 4332 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4332 AUDIODG.EXE Token: 33 1176 5FD8.tmp Token: SeIncBasePriorityPrivilege 1176 5FD8.tmp Token: SeDebugPrivilege 3744 mstsc.exe Token: SeBackupPrivilege 3744 mstsc.exe Token: SeRestorePrivilege 3744 mstsc.exe Token: SeBackupPrivilege 3744 mstsc.exe Token: SeRestorePrivilege 3744 mstsc.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
5FD8.tmppid process 1176 5FD8.tmp -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
5FD8.tmppid process 1176 5FD8.tmp -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe5FD8.tmpdescription pid process target process PID 1964 wrote to memory of 1176 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 5FD8.tmp PID 1964 wrote to memory of 1176 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 5FD8.tmp PID 1964 wrote to memory of 1176 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 5FD8.tmp PID 1964 wrote to memory of 2228 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 6027.tmp PID 1964 wrote to memory of 2228 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 6027.tmp PID 1964 wrote to memory of 2228 1964 4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe 6027.tmp PID 1176 wrote to memory of 3744 1176 5FD8.tmp mstsc.exe PID 1176 wrote to memory of 3744 1176 5FD8.tmp mstsc.exe PID 1176 wrote to memory of 3744 1176 5FD8.tmp mstsc.exe PID 1176 wrote to memory of 3744 1176 5FD8.tmp mstsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe"C:\Users\Admin\AppData\Local\Temp\4feeb54baec6ff1e2653e2607f2a82afa0ca6e256c62e4997613011ba5c0837c.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5FD8.tmp"C:\Users\Admin\AppData\Local\Temp\5FD8.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\mstsc.exe"C:\Windows\system32\mstsc.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\6027.tmp"C:\Users\Admin\AppData\Local\Temp\6027.tmp"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x160 0x2c81⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\5FD8.tmpFilesize
510KB
MD5d67a0135081b15524de94a9c58ab029d
SHA148d4f9573acd255426e9812417d6f773ed726095
SHA2565e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f
SHA512694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a
-
C:\Users\Admin\AppData\Local\Temp\5FD8.tmpFilesize
510KB
MD5d67a0135081b15524de94a9c58ab029d
SHA148d4f9573acd255426e9812417d6f773ed726095
SHA2565e4bdc3df4d21cc7a8a10639b252cb9717953de8880dd03c6d00e91b4594450f
SHA512694a4dd33532ff0f8bf89a92d87916d518e6b284d09832a7d28fcedfadaf9c10529c167e675318761a0cc0d4f710a2f9537b9eabdca4dae85a0629fbc5f44c8a
-
C:\Users\Admin\AppData\Local\Temp\6027.tmpFilesize
742KB
MD5c673e62fc1d5d0e646f3ba51f1d8c1d6
SHA1ccd251089f8fdb7819ddb48305eab19280c8042f
SHA256fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618
SHA51265d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba
-
C:\Users\Admin\AppData\Local\Temp\6027.tmpFilesize
742KB
MD5c673e62fc1d5d0e646f3ba51f1d8c1d6
SHA1ccd251089f8fdb7819ddb48305eab19280c8042f
SHA256fbc9f53e0c980140c0ea7f1228aa01104a280fea5c1dd454ce4530d6c9443618
SHA51265d57dcb0db426b28ced3b5c7507bb5f3c4c5cf79bd773fbd3ad889b7de79c9eda3307132367ce0b586e871cc5f7f59d0a8e8c32fdebc0ba31e29900e2d7bfba
-
memory/1176-139-0x0000000000400000-0x0000000000484000-memory.dmpFilesize
528KB
-
memory/1176-142-0x000000000ED00000-0x000000000ED08000-memory.dmpFilesize
32KB
-
memory/1176-130-0x0000000000000000-mapping.dmp
-
memory/2228-136-0x00000000023D0000-0x00000000023D8000-memory.dmpFilesize
32KB
-
memory/2228-137-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2228-133-0x0000000000000000-mapping.dmp
-
memory/3744-140-0x0000000000000000-mapping.dmp
-
memory/3744-141-0x0000000000720000-0x0000000000737000-memory.dmpFilesize
92KB
-
memory/3744-143-0x0000000000720000-0x0000000000737000-memory.dmpFilesize
92KB