Analysis
-
max time kernel
135s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2023 22:14
Static task
static1
Behavioral task
behavioral1
Sample
bank_statement.scr
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
bank_statement.scr
Resource
win10v2004-20230220-en
General
-
Target
bank_statement.scr
-
Size
25.0MB
-
MD5
dedd66f7cdc48224fb7fcbc795f69bfd
-
SHA1
00ab7277c89b9f0608f00997b219881a92e36888
-
SHA256
b11e85d0eed98a012f018c818f72a0bc0d0521ea132a45a58f5de92da924c225
-
SHA512
4ea3119416c786ec9667eaa499b3af40d196f4ecf2ffaac5e5b78ccbaba34ab867e302a10fc7964dc95284fafcffdeca3361886dffdc2c2ba2bf2fb5e664b8c3
-
SSDEEP
393216:iEbUSKA4SNAwLpQfgVehx8oyLZ8Ae0sCK9UCUQkiWajOHkzhSbfA:7bUXA4Vv9eoyt8Ae07K2CUdiWajOHe
Malware Config
Extracted
vidar
4.1
850dc0663d2676536f88b82b3382fcb4
https://steamcommunity.com/profiles/76561199510444991
https://t.me/task4manager
-
profile_id_v2
850dc0663d2676536f88b82b3382fcb4
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36 Edg/112.0.1722.34
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bank_statement.scrdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation bank_statement.scr -
Loads dropped DLL 2 IoCs
Processes:
AddInProcess32.exepid process 232 AddInProcess32.exe 232 AddInProcess32.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
bank_statement.scrdescription pid process target process PID 2704 set thread context of 232 2704 bank_statement.scr AddInProcess32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AddInProcess32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
bank_statement.scrpowershell.exepowershell.exeAddInProcess32.exepid process 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 2704 bank_statement.scr 3328 powershell.exe 3328 powershell.exe 2220 powershell.exe 2220 powershell.exe 232 AddInProcess32.exe 232 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3328 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
bank_statement.scrdescription pid process target process PID 2704 wrote to memory of 3328 2704 bank_statement.scr powershell.exe PID 2704 wrote to memory of 3328 2704 bank_statement.scr powershell.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 2220 2704 bank_statement.scr powershell.exe PID 2704 wrote to memory of 2220 2704 bank_statement.scr powershell.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe PID 2704 wrote to memory of 232 2704 bank_statement.scr AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bank_statement.scr"C:\Users\Admin\AppData\Local\Temp\bank_statement.scr" /S1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMwA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAANQA=2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a3af0fe7f6bead950f076de281a5a1d2
SHA1e55d189a5525b7871835548e5f777de0ff42e755
SHA256ce484ca22f8966e31b9b5aafef1a970d37525122fb7c9d39976e743264f77890
SHA5129818ad2387ceba8fe3afbe60070354c39eb13783653e8e28c84bd7e61678627942a6df06778d4e4b72d525c843d74bd97e4edc93af960e45500912e41c2c5693
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpui1uvy.xjk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/232-188-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/232-178-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/232-175-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/232-256-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/232-257-0x0000000000400000-0x000000000046A000-memory.dmpFilesize
424KB
-
memory/2220-173-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmpFilesize
64KB
-
memory/2220-172-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmpFilesize
64KB
-
memory/2220-171-0x00000201F8DD0000-0x00000201F8DE0000-memory.dmpFilesize
64KB
-
memory/2704-139-0x00007FF94C230000-0x00007FF94C232000-memory.dmpFilesize
8KB
-
memory/2704-177-0x0000000001FA0000-0x0000000002023000-memory.dmpFilesize
524KB
-
memory/2704-134-0x00007FF94E5A0000-0x00007FF94E5A2000-memory.dmpFilesize
8KB
-
memory/2704-135-0x00007FF94E5B0000-0x00007FF94E5B2000-memory.dmpFilesize
8KB
-
memory/2704-154-0x0000000001FA0000-0x0000000002023000-memory.dmpFilesize
524KB
-
memory/2704-136-0x00007FF94E060000-0x00007FF94E062000-memory.dmpFilesize
8KB
-
memory/2704-140-0x0000000140000000-0x00000001428FF000-memory.dmpFilesize
41.0MB
-
memory/2704-137-0x00007FF94E070000-0x00007FF94E072000-memory.dmpFilesize
8KB
-
memory/2704-133-0x00007FF94E590000-0x00007FF94E592000-memory.dmpFilesize
8KB
-
memory/2704-138-0x00007FF94C220000-0x00007FF94C222000-memory.dmpFilesize
8KB
-
memory/3328-157-0x0000014499660000-0x0000014499670000-memory.dmpFilesize
64KB
-
memory/3328-144-0x00000144997F0000-0x0000014499812000-memory.dmpFilesize
136KB
-
memory/3328-155-0x0000014499660000-0x0000014499670000-memory.dmpFilesize
64KB
-
memory/3328-156-0x0000014499660000-0x0000014499670000-memory.dmpFilesize
64KB