Analysis
-
max time kernel
89s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
02-02-2023 18:28
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
General
-
Target
file.exe
-
Size
2.8MB
-
MD5
094506dab589aa3933fe28379d607e4e
-
SHA1
78b35e6e1c254f31079ea22a35fe5e0dde83848b
-
SHA256
8b45ddb55c917429dad237eac7bce95e29808c4157d098956144d19f247a1c0d
-
SHA512
5464a20e13a087fc56e441543d1182e2c7c80abd0156084d162a5b35cf0a357838b607f7956e07da6436ddc75abb22d7485c724b5770a6859f34d556ae0caa0e
-
SSDEEP
49152:ex04mKYkbtgQ/MwW/qvf7RZoVZZOHTjqFfK5r9oQSP1vh4CTRCC2OFj2OFS3:8juTq9zzWk99o11vhbTRCH3
Malware Config
Extracted
vidar
2.3
886
https://t.me/mantarlars
https://steamcommunity.com/profiles/76561199474840123
-
profile_id
886
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation file.exe -
Loads dropped DLL 2 IoCs
pid Process 4660 file.exe 4660 file.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mkfexvjrq = "\"C:\\Users\\Admin\\AppData\\Roaming\\Ngueozpsjs\\Mkfexvjrq.exe\"" file.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4808 set thread context of 4660 4808 file.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3456 4660 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4992 powershell.exe 4992 powershell.exe 4660 file.exe 4660 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4808 file.exe Token: SeDebugPrivilege 4992 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4808 wrote to memory of 4992 4808 file.exe 80 PID 4808 wrote to memory of 4992 4808 file.exe 80 PID 4808 wrote to memory of 4992 4808 file.exe 80 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82 PID 4808 wrote to memory of 4660 4808 file.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4992
-
-
C:\Users\Admin\AppData\Local\Temp\file.exeC:\Users\Admin\AppData\Local\Temp\file.exe2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:4660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 18683⤵
- Program crash
PID:3456
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4660 -ip 46601⤵PID:1412
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
Filesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571