Analysis
-
max time kernel
81s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-02-2023 12:38
General
-
Target
https://www.mediafire.com/file/g2x9mbajf2i8k9a/Spotify_Premium_8.7.14.1332_%255BFull_Version%255D.rar/file
Malware Config
Extracted
vidar
2.5
408
-
profile_id
408
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://www.mediafire.com/file/g2x9mbajf2i8k9a/Spotify_Premium_8.7.14.1332_%255BFull_Version%255D.rar/file1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:764 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\" -spe -an -ai#7zMap2133:146:7zEvent274191⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\20205465619298939219.exe"C:\ProgramData\20205465619298939219.exe"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\ProgramData\20205465619298939219.exe4⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 05⤵
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exe"1⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\20205465619298939219.exeFilesize
7.4MB
MD5c20965f0f720fe1249562be190dd17b2
SHA121ebe0421472c864756ff113154e34d27e536f12
SHA256fa0eb0c07f81650f16550fae12b5d286ef2c4cadb1ab19ce13bdb83762d1a4a3
SHA512c48da05164703bcab01eb40409222b2587dd8a5324d6467a836f28395cb155d2861c256306ea951cd1911696a53558100150c74add89f66380d90f1925d8bc9b
-
C:\ProgramData\20205465619298939219.exeFilesize
7.4MB
MD5c20965f0f720fe1249562be190dd17b2
SHA121ebe0421472c864756ff113154e34d27e536f12
SHA256fa0eb0c07f81650f16550fae12b5d286ef2c4cadb1ab19ce13bdb83762d1a4a3
SHA512c48da05164703bcab01eb40409222b2587dd8a5324d6467a836f28395cb155d2861c256306ea951cd1911696a53558100150c74add89f66380d90f1925d8bc9b
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD5e28944269d7eeb0d11663d77f668a2c6
SHA152403fff50ada7e2de079507790dcbf1703b1097
SHA25669731265c0d4cac20fa9867a41a12b2f8c30160111b4e2fca9e728bac4164f81
SHA5120f1bac906752d34ee6b1e56acac6ec2bc5227cbdff7c95afe5b724b8155c303601f7a4ef3f05fd89ce84fa9a50457ce74ba5d9ee2acfb1faeb1636807ec61a24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD53e41dd9366864e66b96c7435d56506ff
SHA17514d785e9fad54ffd07bde3f86d90bc4ac52bf8
SHA2565902822e5633fd62796953f564224537bb472a22c1b4d0810f705f8e1e81603f
SHA512ba64698f66e406a64667af24aca8f6187b9c8a477551970d8ba0a73c089b9577bf7c2c1bb95c764f84dc98fdb76d126bbdb1ae96b0657291507af46a2a922d9f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD57f6f0f9ee76c1891a8e3b3263dd74bf9
SHA14b1c60975a0a008455347d8a90acf27238716842
SHA256466409be493909d274e78082784ff99f0ccbb1d3c3c0d292e81fc30f05d2245d
SHA5129e7c0b484772b6a2963d7563fc30914735a2dbd853a456c5403720dbadf07c08e58837c181532f5961e85056265e685c5182d4d0be795a347cf738b7a80633bc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5a7897185024e9c1d40d78ea6e0dbe119
SHA185d2d7a4584034fece6acc318302bcaa64d41441
SHA256a5cf5e486d980546d5501199c65e429ea9aa24f1f855e480f1be0db18e61c378
SHA51272e89e888e67f0253f2819616072beda61fed9ba81b3a8f497ac963a35a9053855c5dc87061eb86da6b45bc332825f9c0e3b1ad9b58fcce0e0c5a255e8cdc4f8
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version].rar.fgpu0w8.partialFilesize
7.8MB
MD568ec8fe70d0a5aa0fe24ad80f6b7b1a9
SHA1b7450a3dda89e9345bb03419d5ce8186d1434ecc
SHA25612a97140043e32e3a4f15bb9a17e16692d06c33cd56bb6d497ac6be2c5c02093
SHA5125abf719dee7ad931553178fecfaa1d2a18c30c49345b6875780ef7ba4b5a0c79be98ceaa666ae523642733157b158f6f5a57fe3e550e8fdc741dcaff4f45a4ab
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exeFilesize
109.7MB
MD57467034e59e6215aefe54323a56241f0
SHA19c2b463bde71f20b0898a3b09ad0c92eba1c4556
SHA256493f3822070d32e27da95207eee57b5416fcbad4abd2322fa6fe586760657981
SHA512be7624f783f2e7a8f5a8d970fe17914314407c59d0380f7b1ad2977c26d705fb1070a56b17237a5d7a9c549ea2a385f9e42b360433d39e67b30473ca6a45e578
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exeFilesize
134.9MB
MD5a44654c2fec6b5e58b0a34ca8430a4d2
SHA1f3fbd7652797814132ec8d94422983dd4a5d399e
SHA256167c0d51224d32979c80a454a6cc84b071c47cd2663dd4552ebcbc9798eb2c55
SHA512d2ea915cdb8ff41eaeed1898fa39eb89254c7f38ca25bafefe82a78f3a15987290c512fcdcbc3b19ec9e8d6def10c31a86cd36ab5ff29a819edc4c85e19c977f
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exeFilesize
115.9MB
MD505378a3b591c78d1b6b03bc094995d17
SHA1f642fcc24cd283682fbc705ec89ec706022cb3e6
SHA2569768875b3aab3b2b6b3882a9277497028411a5939ee57df2bc80afce5dd4bdad
SHA51243cddfd030d4a05dc252026a6920fdc9f7d77ee34783a525c4afe63031c7376c6cab4c1bfb6594198cc7f28321a0668f494abfb1a8d7d3616bc481e6c5b99225
-
C:\Users\Admin\Downloads\Spotify Premium 8.7.14.1332 [Full Version]\Setup.exeFilesize
56.8MB
MD5c8cc9b0659de43a19d76c9943d883bab
SHA1e91e569ef8bae2152a92fd1108e46a5a24e8be46
SHA256a4dfeb67bae485d47eb185c34942c43b320d8b7fa4d74fa5d749270dc7be513b
SHA5121ed05ee7b1e4d0594e6bf90d4e2e140ceca364d21edc2fa2af1c154b2f34380857b051fea800080d0d84c181bf21cebe6fefc1818f2e7620c02a9c217f54aa10
-
memory/1212-166-0x0000000000000000-mapping.dmp
-
memory/1212-173-0x0000000000520000-0x0000000000592000-memory.dmpFilesize
456KB
-
memory/1212-167-0x0000000000520000-0x0000000000592000-memory.dmpFilesize
456KB
-
memory/1724-182-0x0000000000000000-mapping.dmp
-
memory/1724-183-0x0000000000800000-0x0000000000872000-memory.dmpFilesize
456KB
-
memory/1724-189-0x0000000000800000-0x0000000000872000-memory.dmpFilesize
456KB
-
memory/2376-179-0x0000000000000000-mapping.dmp
-
memory/2884-145-0x0000000050BE0000-0x0000000050CD3000-memory.dmpFilesize
972KB
-
memory/2884-144-0x0000000000750000-0x00000000007C2000-memory.dmpFilesize
456KB
-
memory/2884-137-0x0000000000000000-mapping.dmp
-
memory/2884-138-0x0000000000750000-0x00000000007C2000-memory.dmpFilesize
456KB
-
memory/4004-180-0x0000000000000000-mapping.dmp
-
memory/5012-176-0x0000000000000000-mapping.dmp