Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
04-01-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
3fb54645fba660ad5c6824ccff364832.exe
Resource
win7-20231215-en
General
-
Target
3fb54645fba660ad5c6824ccff364832.exe
-
Size
543KB
-
MD5
3fb54645fba660ad5c6824ccff364832
-
SHA1
107f0844fc867bda1b7f664421c92712bc2a9a5b
-
SHA256
de05db338a5854f13a46e498a6ba4484b7bd47062ed3adae9a93bb8cc767d3d9
-
SHA512
ae80fe134835548a3684a2f68248a2e55a9a1db096e0a014a8fd56173141b8a11b6f07ec982f4b096436250b9ff22edf8c9d7f6439a07ce3e8f9735a94abf339
-
SSDEEP
12288:F1Gt75Q2a/P457JGNor4kLNpJDg8RFdn5nHhhTUUmviVn0woO:k75a/PIdGiLNvJRZhFhgiE
Malware Config
Extracted
vidar
39.9
706
https://prophefliloc.tumblr.com/
-
profile_id
706
Signatures
-
Vidar Stealer 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2968-2-0x0000000000300000-0x000000000039D000-memory.dmp family_vidar behavioral1/memory/2968-3-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral1/memory/2968-63-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral1/memory/2968-80-0x0000000000400000-0x0000000002CBF000-memory.dmp family_vidar behavioral1/memory/2968-82-0x0000000000300000-0x000000000039D000-memory.dmp family_vidar -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 652 cmd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
3fb54645fba660ad5c6824ccff364832.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 3fb54645fba660ad5c6824ccff364832.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 3fb54645fba660ad5c6824ccff364832.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2092 timeout.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 588 taskkill.exe -
Processes:
3fb54645fba660ad5c6824ccff364832.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 3fb54645fba660ad5c6824ccff364832.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3fb54645fba660ad5c6824ccff364832.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 3fb54645fba660ad5c6824ccff364832.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
3fb54645fba660ad5c6824ccff364832.exepid process 2968 3fb54645fba660ad5c6824ccff364832.exe 2968 3fb54645fba660ad5c6824ccff364832.exe 2968 3fb54645fba660ad5c6824ccff364832.exe 2968 3fb54645fba660ad5c6824ccff364832.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 588 taskkill.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3fb54645fba660ad5c6824ccff364832.execmd.exedescription pid process target process PID 2968 wrote to memory of 652 2968 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 2968 wrote to memory of 652 2968 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 2968 wrote to memory of 652 2968 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 2968 wrote to memory of 652 2968 3fb54645fba660ad5c6824ccff364832.exe cmd.exe PID 652 wrote to memory of 588 652 cmd.exe taskkill.exe PID 652 wrote to memory of 588 652 cmd.exe taskkill.exe PID 652 wrote to memory of 588 652 cmd.exe taskkill.exe PID 652 wrote to memory of 588 652 cmd.exe taskkill.exe PID 652 wrote to memory of 2092 652 cmd.exe timeout.exe PID 652 wrote to memory of 2092 652 cmd.exe timeout.exe PID 652 wrote to memory of 2092 652 cmd.exe timeout.exe PID 652 wrote to memory of 2092 652 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe"1⤵
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3fb54645fba660ad5c6824ccff364832.exe" & del C:\ProgramData\*.dll & exit2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im 3fb54645fba660ad5c6824ccff364832.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:2092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
209B
MD5400f4a9df16c57408a470f8824d1b0db
SHA11c4303b161495e1ac9e8b45dc17d48ec8ef32ed0
SHA256a2ead324e8fb1bf569d026d0976f83d2bf9d2162151ddc8ef0d5a58ccc5e168c
SHA512a91f8f813d09621541f85f87ce9069f3da3e871d6c69255a023d7dca8f7a8b0e4aca51929837c5a3d3656a84f12285530d3f56cbcb01d09a94a420469bf308ba
-
Filesize
209B
MD55d21ca36b78ecb220e2548020bc15ed7
SHA1d4103638ab888429cdb7fd86d19f5778892352ac
SHA256023c3490c339e79524933c9f6f09c9882c2f8f9a4093ceeb8ec08c4e25f7ab2e
SHA512a256b73741b3103d8f7938bcd7222c98f29d6d040df9795a10143c4aa1cced388dd343b2221b4aab2a30bda8b60db342aa1d6bac0db685107cba1bdd96595ced
-
Filesize
210B
MD5fa4fb3509396425b35c3bd4a11aca709
SHA1f69e03b83b5a714de42a727b3fa97dfe725193ae
SHA2568eb400d985182a0458c0518cba4b4d9eff1fb9904acadcbb6c8a8d0567c69393
SHA512c23c7e848be36cad5c041c170bd1402c9907ed2c9818cc19d9124bb4b95da96b70419da05b3d94375d45896b7cf5beb06fe6ea823495e4d93877b16f1c4f54ae
-
Filesize
206B
MD581fd90a928ef821dfadc577370c2523c
SHA106e88b20550f1e65077025ba1cde98528751bc13
SHA25679828ce5c456dd06feb743bf1f452c61ef800a52112cda3ce16f67cb25dbb1d8
SHA512cb989ecf19563594bc74b6898e621897f2a197e292fb6d99a1e411bbe649e8481bcc47af0b7a5c9625549fa8d99bf1250d72033ccdf41d4207bad0928f75c673
-
Filesize
210B
MD5fd5d75c4ab3ba343a378324d9b05bbff
SHA19b31507eee93eb2e6fee07889f008f9668d14dd3
SHA25663365e7603f9cac52ff6ccc52a83436cf8073a6a97491fd3c5a2ccc52088b7dd
SHA51281e59c3670b7f4bc2eb60e1966607a57dfabb891d667c9bde57c5ab6d4c84d7358af5ae55fdac7555e147d6d228358639be735e792f59d1d776a4ffa053bdc5d
-
Filesize
214B
MD5f87daed56fdfea78c2ed2566f440bada
SHA1db707626249bbd4424fe896c29cb207136f096a7
SHA2563896a4c4b6796f244b4c038a504f07455dd482f6f778c6355fa73e50fb541cb8
SHA5123c6dbf313a2d5894fec53b9ed99cbad648a9897f00434ed24c2f60e34142e480c6593c40859905e892e581d9834f3d186400f58c05de40b5ac60488c3ce9a395
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06