Overview

overview

10

Static

static

7

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Resubmissions

11-09-2022 13:26

220911-qpvgrsbfc3 10

11-09-2022 12:47

220911-p1dsqabeh4 10

Analysis

  • max time kernel
    161s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2022 12:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    370.9MB

  • MD5

    caceb6578e7a4d3011ea97c9d1a693c0

  • SHA1

    9d161e2ec7ecad49fed29e43fd8b04afad11e11d

  • SHA256

    f09c16eea97b9e4733ad58653a92b7f4a1ce00556a91ca83d2013153f6ff0e59

  • SHA512

    5200fb2d9a7654145977e1fbba6a9a77ba026e50523614111a0bfdd0a1eb63043546ee90ec38774aaeeeefdb8fd71e5c9be24d8463fc9bd540b3c15eca49fcdd

  • SSDEEP

    98304:PSZWVxMgSBX6E1BwA26/JQtm111+kZNyLwd/nM2Stzv//PK3cS6i7zsnBW:qW2Hz726xQUakZNy8VMDVv/cr68ABW

Score
10/10
vidar1281evasionstealerthemidatrojan

Malware Config

Extracted

Family

vidar

Version

53.3

Botnet

1281

C2

http://185.53.46.199:80

http://77.75.230.119:80

http://5.252.23.43:80
Attributes
  • profile_id

    1281

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 9 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of FindShellTrayWindow 18 IoCs
  • Suspicious use of SendNotifyMessage 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious behavior: EnumeratesProcesses
    PID:4356
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff8ccd946f8,0x7ff8ccd94708,0x7ff8ccd94718
      2⤵
        PID:4412
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
        2⤵
          PID:2428
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4084
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
          2⤵
            PID:1988
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3756 /prefetch:1
            2⤵
              PID:3720
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
              2⤵
                PID:1256
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4352 /prefetch:1
                2⤵
                  PID:3428
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5328 /prefetch:8
                  2⤵
                    PID:5076
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5844 /prefetch:8
                    2⤵
                      PID:1260
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,11974686358881645736,13296271563072822087,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
                      2⤵
                        PID:4728
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:4300

                      Network

                      MITRE ATT&CK Matrix ATT&CK v6

                      Initial Access

                      Execution

                      Persistence

                      Privilege Escalation

                      Defense Evasion

                      Virtualization/Sandbox Evasion

                      1
                      T1497

                      Credential Access

                      Discovery

                      Query Registry

                      3
                      T1012

                      Virtualization/Sandbox Evasion

                      1
                      T1497

                      System Information Discovery

                      3
                      T1082

                      Lateral Movement

                      Collection

                      Exfiltration

                      Command and Control

                      Impact

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • \??\pipe\LOCAL\crashpad_1004_ZMOOSSFCNHXVILGH
                        MD5

                        d41d8cd98f00b204e9800998ecf8427e

                        SHA1

                        da39a3ee5e6b4b0d3255bfef95601890afd80709

                        SHA256

                        e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                        SHA512

                        cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                        Download Submit
                      • memory/1256-157-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1260-163-0x0000000000000000-mapping.dmp
                        Download
                      • memory/1988-153-0x0000000000000000-mapping.dmp
                        Download
                      • memory/2428-149-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3428-159-0x0000000000000000-mapping.dmp
                        Download
                      • memory/3720-155-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4084-150-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4356-142-0x0000000077080000-0x0000000077223000-memory.dmp
                        Filesize

                        1.6MB

                        Download
                      • memory/4356-132-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-146-0x0000000077080000-0x0000000077223000-memory.dmp
                        Filesize

                        1.6MB

                        Download
                      • memory/4356-133-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-144-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-143-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-141-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-145-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-140-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-139-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4356-138-0x0000000000420000-0x000000000108E000-memory.dmp
                        Filesize

                        12.4MB

                        Download
                      • memory/4412-147-0x0000000000000000-mapping.dmp
                        Download
                      • memory/4728-165-0x0000000000000000-mapping.dmp
                        Download
                      • memory/5076-161-0x0000000000000000-mapping.dmp
                        Download