Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/10/2022, 18:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    292KB

  • MD5

    010127f3cf0f5ab066c3264e423a33f3

  • SHA1

    e77d2f9799832f6f98269e6d1e8a88ba95a74a7d

  • SHA256

    f17d7c6a4166bae48178a63da35f72da8e73f7e696d2e87e1eba3c9e3df33f42

  • SHA512

    3358fa87cd5fff14da9aa503873e4abfef8c03c510782dae852c63246c30c0640bcb24d9d7d50c5bb0d302d17097a4b61fa7cbe1cc3b97343cc1f1c5fca503b0

  • SSDEEP

    6144:8anKdq2HmrYFHkEr2SuNW8E1koxoJStR:8/dx8YFGSuNW8EyVc

Score
10/10
vidar1663spywarestealer

Malware Config

Extracted

Family

vidar

Version

54.7

Botnet

1663

C2

https://t.me/trampapanam

https://nerdculture.de/@yoxhyp
Attributes
  • profile_id

    1663

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
        PID:1148
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        2⤵
          PID:2976
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
          2⤵
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1952
          • C:\ProgramData\19663615096509481816.exe
            "C:\ProgramData\19663615096509481816.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3336
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" \/c taskkill /im aspnet_compiler.exe /f & timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" & del C:\PrograData\*.dll & exit
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3580
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im aspnet_compiler.exe /f
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:4116
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 6
              4⤵
              • Delays execution with timeout.exe
              PID:4308

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\ProgramData\19663615096509481816.exe
              Filesize

              53.1MB

              MD5

              9169ea8679cdebf702fd499d96853c32

              SHA1

              5261c476050bff49ecf8340dc10527de303cfe3e

              SHA256

              d1ea56128b7b0fe5093d6778cec2ffd20ddf6fae3183b68e07fc1cbfc9468ade

              SHA512

              0b6e03417e2c77e7ee3631f4a82a36fa4681e8c4b217c2a9f6dc0c889515db44fa4b452d0b7c324f6a731f1a50b750da3e4bc0d2d3636ab8182cf5127aaa44e1

              Download Submit

            • C:\ProgramData\19663615096509481816.exe
              Filesize

              53.1MB

              MD5

              9169ea8679cdebf702fd499d96853c32

              SHA1

              5261c476050bff49ecf8340dc10527de303cfe3e

              SHA256

              d1ea56128b7b0fe5093d6778cec2ffd20ddf6fae3183b68e07fc1cbfc9468ade

              SHA512

              0b6e03417e2c77e7ee3631f4a82a36fa4681e8c4b217c2a9f6dc0c889515db44fa4b452d0b7c324f6a731f1a50b750da3e4bc0d2d3636ab8182cf5127aaa44e1

              Download Submit

            • C:\ProgramData\mozglue.dll
              Filesize

              593KB

              MD5

              c8fd9be83bc728cc04beffafc2907fe9

              SHA1

              95ab9f701e0024cedfbd312bcfe4e726744c4f2e

              SHA256

              ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

              SHA512

              fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

              Download Submit

            • C:\ProgramData\nss3.dll
              Filesize

              2.0MB

              MD5

              1cc453cdf74f31e4d913ff9c10acdde2

              SHA1

              6e85eae544d6e965f15fa5c39700fa7202f3aafe

              SHA256

              ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

              SHA512

              dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsx67A4.tmp\LangDLL.dll
              Filesize

              5KB

              MD5

              08de81a4584f5201086f57a7a93ed83b

              SHA1

              266a6ecc8fb7dca115e6915cd75e2595816841a8

              SHA256

              4883cd4231744be2dca4433ef62824b7957a3c16be54f8526270402d9413ebe6

              SHA512

              b72e7cea5ce1f4dc64e65a1f683a3ef9e3fa2dc45cf421f569eb461f1fdcc0caf4ff62a872e62b400579f567c6ff9fc3c2e6e020cdca89d96015502c803a09b9

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\nsx67A4.tmp\nsDialogs.dll
              Filesize

              9KB

              MD5

              ca5bb0ee2b698869c41c087c9854487c

              SHA1

              4a8abbb2544f1a9555e57a142a147dfeb40c4ca4

              SHA256

              c719697d5ced17d97bbc48662327339ccec7e03f6552aa1d5c248f6fa5f16324

              SHA512

              363a80843d7601ba119bc981c4346188f490b388e3ed390a0667aaf5138b885eec6c69d4e7f60f93b069d6550277f4c926bd0f37bc893928111dc62494124770

              Download Submit

            • memory/1952-137-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-136-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-139-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-138-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-160-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-165-0x0000000000400000-0x000000000045B000-memory.dmp

              Filesize

              364KB

              Download

            • memory/1952-140-0x0000000061E00000-0x0000000061EF3000-memory.dmp

              Filesize

              972KB

              Download

            • memory/5048-132-0x00000000000D0000-0x000000000011A000-memory.dmp

              Filesize

              296KB

              Download