Overview

overview

10

Static

static

Setup.exe

windows7-x64

10

Setup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2023 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup.exe

  • Size

    470.6MB

  • MD5

    5909ae2b1c956d4c13b1e6041fdb7f9d

  • SHA1

    8e500369fda8625e0c153c07aabc3ca383d49d44

  • SHA256

    b4b353183fc52980c539601936d8a3774e78f4f8d44e64e8e7082427eed06dbf

  • SHA512

    de385015cb140cbeed61dfd6f923a1b8db054e5cb062e6ca8be0a94de9bccbe3ef3cb1e9fcceb14a0aa64f327e35efc449c47e7d15cb9e358ef8bc80ba2411d2

  • SSDEEP

    49152:FDHrATS9GPSiK6Wl6n+XXZEk4fvXAFXr4ND9pv/OSt5GjhCbhontKH5ck6JjH:FDHoPnWoUSXhjpv//t0jhC+ntkOn

Score
10/10
vidar15discoveryevasionpersistencespywarestealertrojan

Malware Config

Extracted

Family

vidar

Version

2.2

Botnet

15

C2

https://t.me/litlebey

https://steamcommunity.com/profiles/76561199472399815
Attributes
  • profile_id

    15

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 3 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks computer location settings
    • Loads dropped DLL
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\ProgramData\95453714289993026678.exe
      "C:\ProgramData\95453714289993026678.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks computer location settings
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3404
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /CREATE /TN "9.5.9.Microsoft.NET\AgentActivationRuntime9.5.9.\IntelPalnt9.5.9." /TR "C:\ProgramData\O8OOISS9\WlndowsDraiver-Ver9.5.9.0.exe" /SC MINUTE
        3⤵
        • Creates scheduled task(s)
        PID:3044
      • C:\Windows\System32\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\O8OOISS9" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:3596
      • C:\Windows\System32\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\O8OOISS9" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1996
      • C:\Windows\System32\icacls.exe
        "C:\Windows\System32\icacls.exe" "C:\ProgramData\O8OOISS9" /inheritance:e /deny "admin:(R,REA,RA,RD)"
        3⤵
        • Modifies file permissions
        PID:1552
    • C:\ProgramData\55281894466795683219.exe
      "C:\ProgramData\55281894466795683219.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:5112
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\55281894466795683219.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3376
        • C:\Windows\system32\choice.exe
          choice /C Y /N /D Y /T 0
          4⤵
            PID:4500
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Setup.exe" & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:424
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          3⤵
          • Delays execution with timeout.exe
          PID:4736
    • C:\ProgramData\O8OOISS9\WlndowsDraiver-Ver9.5.9.0.exe
      C:\ProgramData\O8OOISS9\WlndowsDraiver-Ver9.5.9.0.exe
      1⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      PID:1136

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    1
    T1497

    File Permissions Modification

    1
    T1222

    Modify Registry

    2
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    5
    T1012

    Virtualization/Sandbox Evasion

    1
    T1497

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\55281894466795683219.exe
      Filesize

      7.4MB

      MD5

      7c3c33a79f460a4536433f5ba99b3fcd

      SHA1

      2a3d9abc1a733453804213b8bf24f14bfa5cd581

      SHA256

      88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4

      SHA512

      0e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4

      Download Submit
    • C:\ProgramData\55281894466795683219.exe
      Filesize

      7.4MB

      MD5

      7c3c33a79f460a4536433f5ba99b3fcd

      SHA1

      2a3d9abc1a733453804213b8bf24f14bfa5cd581

      SHA256

      88dbf134cd4628fc8b97cc1adf5201cae875df1fa5280b3cbc0306478161e9f4

      SHA512

      0e4330014b00e1eb3318692862574f7142ce97be02ebd3c00932aec99e236196652f7f7ea95aef7cf3b2501c0c167ce17772bafdebe998a638678e990c7368c4

      Download Submit
    • C:\ProgramData\95453714289993026678.exe
      Filesize

      9.9MB

      MD5

      2656417019396085e92957933d6d5418

      SHA1

      f2395b39a403f89df2f161ed813b1015729c2308

      SHA256

      00a1be7e46454a3604aed2b824952e35d49330f2ebc28b9b03c03f0ffd71af89

      SHA512

      7ce74e33879b21863638836a9c67ff995a53bbdbe02e0db452661aa48fccfd4b20cf1cea5a071f0a815745e2eea90756e8465a5db5c4dfe388fdfcb4b0bcd1d5

      Download Submit
    • C:\ProgramData\95453714289993026678.exe
      Filesize

      9.9MB

      MD5

      2656417019396085e92957933d6d5418

      SHA1

      f2395b39a403f89df2f161ed813b1015729c2308

      SHA256

      00a1be7e46454a3604aed2b824952e35d49330f2ebc28b9b03c03f0ffd71af89

      SHA512

      7ce74e33879b21863638836a9c67ff995a53bbdbe02e0db452661aa48fccfd4b20cf1cea5a071f0a815745e2eea90756e8465a5db5c4dfe388fdfcb4b0bcd1d5

      Download Submit
    • C:\ProgramData\O8OOISS9\WlndowsDraiver-Ver9.5.9.0.exe
      Filesize

      651.6MB

      MD5

      cdaf4235fef983d922fa592a701e4da2

      SHA1

      b1de1c0383f434db480d8c2ebf7093f4ff626d29

      SHA256

      fb9d878bc80e0f1ef76e2ac27a1f9bcd63e3e0a277e0ac2a34a4b92dc0f95c34

      SHA512

      a2ab554e9cd4e97774f43fc75951bcd4aa3839fb8a8b07d6a7480b60dd7f1d079ffa18e0f4929c0284d5855fceee21d8e248b7f7c7ecb39419969521fe3017ae

      Download Submit
    • C:\ProgramData\O8OOISS9\WlndowsDraiver-Ver9.5.9.0.exe
      Filesize

      651.6MB

      MD5

      cdaf4235fef983d922fa592a701e4da2

      SHA1

      b1de1c0383f434db480d8c2ebf7093f4ff626d29

      SHA256

      fb9d878bc80e0f1ef76e2ac27a1f9bcd63e3e0a277e0ac2a34a4b92dc0f95c34

      SHA512

      a2ab554e9cd4e97774f43fc75951bcd4aa3839fb8a8b07d6a7480b60dd7f1d079ffa18e0f4929c0284d5855fceee21d8e248b7f7c7ecb39419969521fe3017ae

      Download Submit
    • C:\ProgramData\mozglue.dll
      Filesize

      133KB

      MD5

      8f73c08a9660691143661bf7332c3c27

      SHA1

      37fa65dd737c50fda710fdbde89e51374d0c204a

      SHA256

      3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

      SHA512

      0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

      Download Submit
    • C:\ProgramData\nss3.dll
      Filesize

      1.2MB

      MD5

      bfac4e3c5908856ba17d41edcd455a51

      SHA1

      8eec7e888767aa9e4cca8ff246eb2aacb9170428

      SHA256

      e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

      SHA512

      2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

      Download Submit
    • memory/424-172-0x0000000000000000-mapping.dmp
      Download
    • memory/528-161-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-135-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-132-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-162-0x0000000077E30000-0x0000000077FD3000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/528-163-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-134-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-139-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-138-0x0000000077E30000-0x0000000077FD3000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/528-133-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-137-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-136-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-174-0x0000000077E30000-0x0000000077FD3000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/528-173-0x0000000000400000-0x0000000000B79000-memory.dmp
      Filesize

      7.5MB

      Download
    • memory/528-140-0x0000000060900000-0x0000000060992000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1136-197-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1136-198-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1136-193-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1136-191-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1136-199-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1136-200-0x00007FF74D7D0000-0x00007FF74EDAE000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/1552-187-0x0000000000000000-mapping.dmp
      Download
    • memory/1996-186-0x0000000000000000-mapping.dmp
      Download
    • memory/3044-184-0x0000000000000000-mapping.dmp
      Download
    • memory/3376-171-0x0000000000000000-mapping.dmp
      Download
    • memory/3404-189-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-182-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-181-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-183-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-177-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-192-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-170-0x00007FF78FAC0000-0x00007FF79109E000-memory.dmp
      Filesize

      21.9MB

      Download
    • memory/3404-164-0x0000000000000000-mapping.dmp
      Download
    • memory/3596-185-0x0000000000000000-mapping.dmp
      Download
    • memory/4500-175-0x0000000000000000-mapping.dmp
      Download
    • memory/4736-176-0x0000000000000000-mapping.dmp
      Download
    • memory/5112-167-0x0000000000000000-mapping.dmp
      Download