Analysis
-
max time kernel
106s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-02-2023 18:44
Static task
static1
Behavioral task
behavioral1
Sample
AdobeIllustrator2023.exe
Resource
win7-20220812-en
windows7-x64
13 signatures
150 seconds
General
-
Target
AdobeIllustrator2023.exe
-
Size
761.7MB
-
MD5
127504100dc5cc5d31567b432545a094
-
SHA1
c5de6d70709521b64d2bfdc02ea3283d75ae35d2
-
SHA256
57fa5d7d958b31479f78214a37ee220bf4bd0cc6a784c653d9b9665d17815612
-
SHA512
371751fd419b40603d5f4d6f4767933a59f428891c0e62a315ab5881883b3ba555b26246b8015b0fe5010e943b7ab0324d12e4cf8056a7e35646fecc5507e414
-
SSDEEP
12288:8mkPutHPPqXfiFYANYgsmybPf9sFK7Gsf6FAxBoBD4:PkPuFPPqXfirNYgsmybSw7Gsywf
Malware Config
Extracted
Family
vidar
Version
2.5
Botnet
408
Attributes
-
profile_id
408
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
AdobeIllustrator2023.exedescription pid process target process PID 4072 set thread context of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 384 816 WerFault.exe AppLaunch.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
AdobeIllustrator2023.exedescription pid process target process PID 4072 wrote to memory of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe PID 4072 wrote to memory of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe PID 4072 wrote to memory of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe PID 4072 wrote to memory of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe PID 4072 wrote to memory of 816 4072 AdobeIllustrator2023.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AdobeIllustrator2023.exe"C:\Users\Admin\AppData\Local\Temp\AdobeIllustrator2023.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 17403⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 816 -ip 8161⤵