Overview
overview
10Static
static
animal99.zip
windows7-x64
1animal99.zip
windows10-2004-x64
1TradingVie...53.exe
windows7-x64
10TradingVie...53.exe
windows10-2004-x64
10langs/Hungarian.ps1
windows7-x64
1langs/Hungarian.ps1
windows10-2004-x64
1langs/Korean.ps1
windows7-x64
1langs/Korean.ps1
windows10-2004-x64
1Analysis
-
max time kernel
71s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 09:08
Static task
static1
Behavioral task
behavioral1
Sample
animal99.zip
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
animal99.zip
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
TradingView Premium portable_v.2.53.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
TradingView Premium portable_v.2.53.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
langs/Hungarian.ps1
Resource
win7-20220812-en
Behavioral task
behavioral6
Sample
langs/Hungarian.ps1
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
langs/Korean.ps1
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
langs/Korean.ps1
Resource
win10v2004-20220901-en
General
-
Target
TradingView Premium portable_v.2.53.exe
-
Size
354.9MB
-
MD5
20ff4975e511cc5bf72ed3cb77146172
-
SHA1
62ed1b7346e456a34a6812bd7ed3c3746c2870bc
-
SHA256
bc3c8a31f944e92035a1d7ed1d6fab1bff723b1dd4f17e9bfeb20b25f19b316b
-
SHA512
e63eb32fc57729140eadd19a9b918d8019c24202a0883358e80d82ea99793e77e1eb8f7054657cd03b11664def1ebe94d8a5bbeaff123ae4fd52dbce31869730
-
SSDEEP
196608:66pHOtwZjreSOmXxiNsvdnHB8l0wnmvuV0Koku/MNkb:rutwJrerWxie9h8lvmvuuGU
Malware Config
Extracted
vidar
54.9
1142
https://t.me/larsenup
https://ioc.exchange/@zebra54
-
profile_id
1142
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
TradingView Premium portable_v.2.53.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TradingView Premium portable_v.2.53.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
36125003509892486859.exeoobeldr.exepid process 1104 36125003509892486859.exe 2336 oobeldr.exe -
Processes:
resource yara_rule C:\ProgramData\36125003509892486859.exe vmprotect behavioral4/memory/1104-167-0x0000000000140000-0x0000000000891000-memory.dmp vmprotect C:\ProgramData\36125003509892486859.exe vmprotect C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe vmprotect behavioral4/memory/2336-172-0x0000000000F50000-0x00000000016A1000-memory.dmp vmprotect -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TradingView Premium portable_v.2.53.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TradingView Premium portable_v.2.53.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TradingView Premium portable_v.2.53.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
TradingView Premium portable_v.2.53.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation TradingView Premium portable_v.2.53.exe -
Loads dropped DLL 2 IoCs
Processes:
TradingView Premium portable_v.2.53.exepid process 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
TradingView Premium portable_v.2.53.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TradingView Premium portable_v.2.53.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
TradingView Premium portable_v.2.53.exepid process 1480 TradingView Premium portable_v.2.53.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TradingView Premium portable_v.2.53.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TradingView Premium portable_v.2.53.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TradingView Premium portable_v.2.53.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2948 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 5100 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
TradingView Premium portable_v.2.53.exepid process 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe 1480 TradingView Premium portable_v.2.53.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
TradingView Premium portable_v.2.53.execmd.exe36125003509892486859.exeoobeldr.exedescription pid process target process PID 1480 wrote to memory of 1104 1480 TradingView Premium portable_v.2.53.exe 36125003509892486859.exe PID 1480 wrote to memory of 1104 1480 TradingView Premium portable_v.2.53.exe 36125003509892486859.exe PID 1480 wrote to memory of 1104 1480 TradingView Premium portable_v.2.53.exe 36125003509892486859.exe PID 1480 wrote to memory of 4860 1480 TradingView Premium portable_v.2.53.exe cmd.exe PID 1480 wrote to memory of 4860 1480 TradingView Premium portable_v.2.53.exe cmd.exe PID 1480 wrote to memory of 4860 1480 TradingView Premium portable_v.2.53.exe cmd.exe PID 4860 wrote to memory of 5100 4860 cmd.exe taskkill.exe PID 4860 wrote to memory of 5100 4860 cmd.exe taskkill.exe PID 4860 wrote to memory of 5100 4860 cmd.exe taskkill.exe PID 1104 wrote to memory of 840 1104 36125003509892486859.exe schtasks.exe PID 1104 wrote to memory of 840 1104 36125003509892486859.exe schtasks.exe PID 1104 wrote to memory of 840 1104 36125003509892486859.exe schtasks.exe PID 4860 wrote to memory of 2948 4860 cmd.exe timeout.exe PID 4860 wrote to memory of 2948 4860 cmd.exe timeout.exe PID 4860 wrote to memory of 2948 4860 cmd.exe timeout.exe PID 2336 wrote to memory of 2980 2336 oobeldr.exe schtasks.exe PID 2336 wrote to memory of 2980 2336 oobeldr.exe schtasks.exe PID 2336 wrote to memory of 2980 2336 oobeldr.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TradingView Premium portable_v.2.53.exe"C:\Users\Admin\AppData\Local\Temp\TradingView Premium portable_v.2.53.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\36125003509892486859.exe"C:\ProgramData\36125003509892486859.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im TradingView Premium portable_v.2.53.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\TradingView Premium portable_v.2.53.exe" & del C:\PrograData\*.dll & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im TradingView Premium portable_v.2.53.exe /f3⤵
- Kills process with taskkill
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeC:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exe"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\36125003509892486859.exeFilesize
4.6MB
MD5fef47f78e1ef37261359ef0e1f6921b5
SHA155043b2c826deac7f42f6f1ba7708a2cf3cbcf9b
SHA256314c64429bd92e8ab3cfa9280f89fdac2c93a8706991f7e48d4d70fd80c14a68
SHA51225cf030a94993f50ab1d38d8f1e3de07b8aba7ca1ceb69b276c9925d89d57df49e9c53047d55bc7b3f4141b7e9e36514a07789343fa37a254d3fc806fe6a1b07
-
C:\ProgramData\36125003509892486859.exeFilesize
4.6MB
MD5fef47f78e1ef37261359ef0e1f6921b5
SHA155043b2c826deac7f42f6f1ba7708a2cf3cbcf9b
SHA256314c64429bd92e8ab3cfa9280f89fdac2c93a8706991f7e48d4d70fd80c14a68
SHA51225cf030a94993f50ab1d38d8f1e3de07b8aba7ca1ceb69b276c9925d89d57df49e9c53047d55bc7b3f4141b7e9e36514a07789343fa37a254d3fc806fe6a1b07
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Roaming\Microsoft\Protect\oobeldr.exeFilesize
4.6MB
MD5fef47f78e1ef37261359ef0e1f6921b5
SHA155043b2c826deac7f42f6f1ba7708a2cf3cbcf9b
SHA256314c64429bd92e8ab3cfa9280f89fdac2c93a8706991f7e48d4d70fd80c14a68
SHA51225cf030a94993f50ab1d38d8f1e3de07b8aba7ca1ceb69b276c9925d89d57df49e9c53047d55bc7b3f4141b7e9e36514a07789343fa37a254d3fc806fe6a1b07
-
memory/840-169-0x0000000000000000-mapping.dmp
-
memory/1104-161-0x0000000000000000-mapping.dmp
-
memory/1104-167-0x0000000000140000-0x0000000000891000-memory.dmpFilesize
7.3MB
-
memory/1480-140-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/1480-132-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-133-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-137-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-138-0x0000000077080000-0x0000000077223000-memory.dmpFilesize
1.6MB
-
memory/1480-135-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-164-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-165-0x0000000077080000-0x0000000077223000-memory.dmpFilesize
1.6MB
-
memory/1480-136-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-139-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/1480-143-0x0000000000400000-0x0000000001152000-memory.dmpFilesize
13.3MB
-
memory/2336-172-0x0000000000F50000-0x00000000016A1000-memory.dmpFilesize
7.3MB
-
memory/2948-170-0x0000000000000000-mapping.dmp
-
memory/2980-173-0x0000000000000000-mapping.dmp
-
memory/4860-163-0x0000000000000000-mapping.dmp
-
memory/5100-166-0x0000000000000000-mapping.dmp