Overview

overview

10

Static

static

npp.8.4.7....64.exe

windows7-x64

10

npp.8.4.7....64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    270s
  • max time network
    374s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 11:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    npp.8.4.7.Installer.x64/npp.8.4.7.Installer.x64.exe

  • Size

    555.0MB

  • MD5

    4d556911a3a2c22dbd35f381ed7d9dbb

  • SHA1

    9439c5dc5dab13d38c279454d5a16e580599700a

  • SHA256

    7f9202f5ee95364f2df5bbc6563548667f314678f0561eb052524d5103ec4b00

  • SHA512

    f8c275a1839ec498eeaaa8f59ad394ba860474bf4a3e7cc581713e6be4bf13c69acfef921a4b878bad1d49eee22f5cac89aeab3341fdb28349dee2508544f612

  • SSDEEP

    3072:DJ6pgZGjXpoGoByXPQs2UTXQ8yb7aFcqiSIvF68KJ9oEZqc:DJOgZGbpYByPT7lyvIcTSIvF68KIc

Score
10/10
vidar1340stealer

Malware Config

Extracted

Family

vidar

Version

55.8

Botnet

1340

C2

https://t.me/headshotsonly

https://steamcommunity.com/profiles/76561199436777531
Attributes
  • profile_id

    1340

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3828
    • C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
      "C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1584
    • C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
      C:\Users\Admin\AppData\Local\Temp\npp.8.4.7.Installer.x64\npp.8.4.7.Installer.x64.exe
      2⤵
        PID:3964

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
      Filesize

      4.4MB

      MD5

      feaa91429fb314271bb2cd3db61bcb8a

      SHA1

      50758c9bea853caceddaf49dfbed82db8a72d994

      SHA256

      515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

      SHA512

      fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Obzuaolnpp.8.4.7.installer.x64.exe
      Filesize

      4.4MB

      MD5

      feaa91429fb314271bb2cd3db61bcb8a

      SHA1

      50758c9bea853caceddaf49dfbed82db8a72d994

      SHA256

      515d2c71ece7c4c7432794b9e1bb6fcf60fdaa2e499744c09af113c65d6dbb68

      SHA512

      fa0a891be025fc207a02018d82d85360f4653c10b414bcc7f175550d992bfefe39dbdbe23b1a848720ee595ae2745e9b9fb171ad2da1eef526ae3ada0fff3ef8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsv731B.tmp\LangDLL.dll
      Filesize

      5KB

      MD5

      68b287f4067ba013e34a1339afdb1ea8

      SHA1

      45ad585b3cc8e5a6af7b68f5d8269c97992130b3

      SHA256

      18e8b40ba22c7a1687bd16e8d585380bc2773fff5002d7d67e9485fcc0c51026

      SHA512

      06c38bbb07fb55256f3cdc24e77b3c8f3214f25bfd140b521a39d167113bf307a7e8d24e445d510bc5e4e41d33c9173bb14e3f2a38bc29a0e3d08c1f0dca4bdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsv731B.tmp\System.dll
      Filesize

      12KB

      MD5

      cff85c549d536f651d4fb8387f1976f2

      SHA1

      d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

      SHA256

      8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

      SHA512

      531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

      Download Submit

    • memory/1584-144-0x0000000000000000-mapping.dmp

      Download

    • memory/2016-133-0x0000000009000000-0x00000000095A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2016-134-0x0000000008A50000-0x0000000008AE2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2016-135-0x00000000070E0000-0x0000000007102000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2016-132-0x0000000000D30000-0x0000000000D60000-memory.dmp

      Filesize

      192KB

      Download

    • memory/3828-138-0x00000000056E0000-0x0000000005D08000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3828-139-0x0000000005D10000-0x0000000005D76000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3828-143-0x0000000005200000-0x000000000521A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3828-141-0x0000000006490000-0x00000000064AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3828-140-0x0000000005E40000-0x0000000005EA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3828-136-0x0000000000000000-mapping.dmp

      Download

    • memory/3828-137-0x0000000004EF0000-0x0000000004F26000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3828-142-0x0000000007CF0000-0x000000000836A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3964-149-0x0000000000400000-0x000000000045F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3964-150-0x0000000000400000-0x000000000045F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3964-148-0x0000000000400000-0x000000000045F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3964-147-0x0000000000400000-0x000000000045F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3964-146-0x0000000000000000-mapping.dmp

      Download

    • memory/3964-154-0x0000000000400000-0x000000000045F000-memory.dmp

      Filesize

      380KB

      Download

    • memory/3964-155-0x000000006F580000-0x000000006F673000-memory.dmp

      Filesize

      972KB

      Download