Analysis
-
max time kernel
84s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
11/01/2023, 16:23
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
General
-
Target
file.exe
-
Size
422KB
-
MD5
9d7d6e8aa69bfbfaa97836e3ad221e10
-
SHA1
b195022878f73153d31a9ed2d7891c0ef37f21cf
-
SHA256
5b61d5b183c6015628a4870b5522a1989019c624d2c31838f4c752e2884d98d4
-
SHA512
c3a51a1aee34b9babab1eb300924f9834c9a438f2f9acb2b997c97c7040fdaf09a24221da9d6b20ccefbad69f6a7712740ca2cb8e5d07fe94da892f1f2065e9d
-
SSDEEP
6144:h1NvPj5H1z8Mm1Oda3uZv78cc8ecVeGXcFCYzz3fx8OEN5w8ZHoP3Zi50tpxFzW:hLVH1z8MmgdfpvV6xzz3jEN5T23Zi4
Malware Config
Extracted
vidar
2
560
https://t.me/tgdatapacks
https://steamcommunity.com/profiles/76561199469677637
-
profile_id
560
Signatures
-
Loads dropped DLL 2 IoCs
pid Process 1352 file.exe 1352 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4540 1352 WerFault.exe 80 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1352 file.exe 1352 file.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 19922⤵
- Program crash
PID:4540
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1352 -ip 13521⤵PID:4860
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
Filesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66