Analysis
-
max time kernel
173s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2023 17:06
Static task
static1
Behavioral task
behavioral1
Sample
f1ac61c5cccc6e76dd193867004e2c13.exe
Resource
win7-20231215-en
General
-
Target
f1ac61c5cccc6e76dd193867004e2c13.exe
-
Size
919KB
-
MD5
f1ac61c5cccc6e76dd193867004e2c13
-
SHA1
c64243d7b3c61b0a554d47b6d33182fa3b591ee9
-
SHA256
f1932238ebf61f3f07165cb78f22a83432b40cc0da4f1d88a0cdb51089ecdf29
-
SHA512
fc129489620db6c77f835c240c1093ba58c5f0110114db3066b5f0c25a3b00e0505b8822251960abd63c7690a276b917218bd3f4e5d445ed773886fd6bdd46b8
-
SSDEEP
24576:5fFokLbbpT5fA7hwAPAARV91Qb3inEc/Swt:9SkbpT5uhnYo9ybSGi
Malware Config
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2152-4-0x000000001C820000-0x000000001C8FC000-memory.dmp family_vidar C:\ProgramData\build.exe family_vidar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f1ac61c5cccc6e76dd193867004e2c13.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation f1ac61c5cccc6e76dd193867004e2c13.exe -
Executes dropped EXE 1 IoCs
Processes:
build.exepid process 3288 build.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3412 3288 WerFault.exe build.exe -
Modifies registry class 1 IoCs
Processes:
f1ac61c5cccc6e76dd193867004e2c13.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f1ac61c5cccc6e76dd193867004e2c13.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
f1ac61c5cccc6e76dd193867004e2c13.exedescription pid process target process PID 2152 wrote to memory of 3288 2152 f1ac61c5cccc6e76dd193867004e2c13.exe build.exe PID 2152 wrote to memory of 3288 2152 f1ac61c5cccc6e76dd193867004e2c13.exe build.exe PID 2152 wrote to memory of 3288 2152 f1ac61c5cccc6e76dd193867004e2c13.exe build.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1ac61c5cccc6e76dd193867004e2c13.exe"C:\Users\Admin\AppData\Local\Temp\f1ac61c5cccc6e76dd193867004e2c13.exe"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3288 -s 15563⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3288 -ip 32881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\build.exeFilesize
848KB
MD54c226f20e759164ee855dba5ecef2b5c
SHA17c6cf378470940509c4efd48be393f892be8aba7
SHA256983dbf6bf813ae7444e55010427ea0ed3a3dc24dac96405c26dd6c78e95c844f
SHA5128a5895413b36ad3ed9e1ebcbf72163dda3f5a926226752a493ca76204cbefb9d7718858306bd20532bafc0271f6109fcde681070da49264c839f74b539e1c16d
-
memory/2152-0-0x0000000000700000-0x00000000007EA000-memory.dmpFilesize
936KB
-
memory/2152-1-0x000000001C220000-0x000000001C2FC000-memory.dmpFilesize
880KB
-
memory/2152-2-0x00007FFA310C0000-0x00007FFA31B81000-memory.dmpFilesize
10.8MB
-
memory/2152-3-0x000000001C370000-0x000000001C380000-memory.dmpFilesize
64KB
-
memory/2152-4-0x000000001C820000-0x000000001C8FC000-memory.dmpFilesize
880KB
-
memory/2152-39-0x00007FFA310C0000-0x00007FFA31B81000-memory.dmpFilesize
10.8MB