Analysis
-
max time kernel
95s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
17-02-2023 18:48
General
-
Target
file.exe
-
Size
2.9MB
-
MD5
a27435d71d3c86e923a81fd66d5118bf
-
SHA1
9d4ed8fb149d0dc4de28e41e66ac17b849b8fcbd
-
SHA256
ca0c0ca69ece78e8d1dcb7b1064a8d76a95a50025b2ea82d907dd9e27b532b8d
-
SHA512
670b7ef2f6a139cd01909e3f385ddf855fb61589b9ec0d6aa001abbe773705e8e4b10edd9bc23734ae61e8b0e8d7e8e13e9011e0c22979a1dc5a20b91715a890
-
SSDEEP
49152:yUwJvVQThRGeWlW6Bj68c5xI5hH0sIacQXfJgiE5VmJsQQlObhPk0zzxcXG+ojxo:nwzQT7obB3hDJpEmJwU1PXzqXx
Malware Config
Extracted
vidar
2.5
813
-
profile_id
813
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 34 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\56862045761583084284.exe"C:\ProgramData\56862045761583084284.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe" & exit3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\56862045761583084284.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
C:\ProgramData\56862045761583084284.exeFilesize
6.6MB
MD5900d27e6128c54af6b69cf16612ef16b
SHA1e21cfcd4e5767612b050ae2fed4868480af4ea1a
SHA25601e388da881c2c5b5689b1c9919ee092ffd24b269e5760159c75b5478d1e4b58
SHA512d4e7feedbe5294093ca4bab47c1285e3bfec493e4fd93289b355e2e056b486fe3addaa132cb03d9db86367a24d8b9129a172d1588c3bbe6abed4cbbbf67ddc5f
-
C:\ProgramData\MSVCP140.dllFilesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\ProgramData\VCRUNTIME140.dllFilesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\msvcp140.dllFilesize
439KB
MD55ff1fca37c466d6723ec67be93b51442
SHA134cc4e158092083b13d67d6d2bc9e57b798a303b
SHA2565136a49a682ac8d7f1ce71b211de8688fce42ed57210af087a8e2dbc8a934062
SHA5124802ef62630c521d83a1d333969593fb00c9b38f82b4d07f70fbd21f495fea9b3f67676064573d2c71c42bc6f701992989742213501b16087bb6110e337c7546
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\ProgramData\vcruntime140.dllFilesize
78KB
MD5a37ee36b536409056a86f50e67777dd7
SHA11cafa159292aa736fc595fc04e16325b27cd6750
SHA2568934aaeb65b6e6d253dfe72dea5d65856bd871e989d5d3a2a35edfe867bb4825
SHA5123a7c260646315cf8c01f44b2ec60974017496bd0d80dd055c7e43b707cadba2d63aab5e0efd435670aa77886ed86368390d42c4017fc433c3c4b9d1c47d0f356
-
C:\Users\Admin\AppData\LocalLow\nss3.dllFilesize
1.9MB
MD5f67d08e8c02574cbc2f1122c53bfb976
SHA16522992957e7e4d074947cad63189f308a80fcf2
SHA256c65b7afb05ee2b2687e6280594019068c3d3829182dfe8604ce4adf2116cc46e
SHA5122e9d0a211d2b085514f181852fae6e7ca6aed4d29f396348bedb59c556e39621810a9a74671566a49e126ec73a60d0f781fa9085eb407df1eefd942c18853be5
-
C:\Users\Admin\AppData\LocalLow\sqlite3.dllFilesize
1.0MB
MD5dbf4f8dcefb8056dc6bae4b67ff810ce
SHA1bbac1dd8a07c6069415c04b62747d794736d0689
SHA25647b64311719000fa8c432165a0fdcdfed735d5b54977b052de915b1cbbbf9d68
SHA512b572ca2f2e4a5cc93e4fcc7a18c0ae6df888aa4c55bc7da591e316927a4b5cfcbdda6e60018950be891ff3b26f470cc5cce34d217c2d35074322ab84c32a25d1
-
memory/788-169-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-143-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-136-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-137-0x0000000000432A3C-mapping.dmp
-
memory/788-138-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-144-0x00000000518A0000-0x0000000051993000-memory.dmpFilesize
972KB
-
memory/788-167-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/788-139-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/2352-140-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/2352-134-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-133-0x00007FFE71930000-0x00007FFE71B25000-memory.dmpFilesize
2.0MB
-
memory/2352-135-0x00007FFE53930000-0x00007FFE543F1000-memory.dmpFilesize
10.8MB
-
memory/2352-132-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-142-0x0000000000340000-0x0000000000982000-memory.dmpFilesize
6.3MB
-
memory/2352-141-0x00007FFE71930000-0x00007FFE71B25000-memory.dmpFilesize
2.0MB
-
memory/3136-170-0x0000000000000000-mapping.dmp
-
memory/4620-168-0x0000000000000000-mapping.dmp
-
memory/4860-164-0x0000000000000000-mapping.dmp
-
memory/4860-172-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-171-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-181-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB
-
memory/4860-182-0x0000000000400000-0x0000000000E35000-memory.dmpFilesize
10.2MB