Analysis
-
max time kernel
89s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 21:56
Static task
static1
Behavioral task
behavioral1
Sample
9eaae8e37d67a66203912ee78be8c3bd.exe
Resource
win7-20231215-en
General
-
Target
9eaae8e37d67a66203912ee78be8c3bd.exe
-
Size
617KB
-
MD5
9eaae8e37d67a66203912ee78be8c3bd
-
SHA1
dd0975d6b7a28cf0730495d6873e220d4064081e
-
SHA256
5acfa6fa8892b4a6fd659c5e05cd5c80a1e51c4b80c11e9fa0ba477f2e6137d9
-
SHA512
7342dbe3474338c6ad8b6b188825e89c0ecafe29d4333d77d796ea1c77c79ac94a30abbba539a8a98943498bc142b24f51dead25e5271b7c0e138f335388c870
-
SSDEEP
12288:V5VqlAqsvyBT04oKO1ua1Ua/KQOK5+NfYdQNUfs4jEwd7JBujxId+2LU:V5vvU6VqK8Qd1sOBdjujxxs
Malware Config
Extracted
vidar
8
237
http://hospitaleco.com/
-
profile_id
237
Signatures
-
Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral2/memory/4116-2-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar behavioral2/memory/4116-13-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar behavioral2/memory/4116-43-0x0000000000400000-0x000000000068B000-memory.dmp family_vidar -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation 9eaae8e37d67a66203912ee78be8c3bd.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 55 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4900 4116 WerFault.exe 9eaae8e37d67a66203912ee78be8c3bd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9eaae8e37d67a66203912ee78be8c3bd.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9eaae8e37d67a66203912ee78be8c3bd.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 1796 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
9eaae8e37d67a66203912ee78be8c3bd.exepid process 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe 4116 9eaae8e37d67a66203912ee78be8c3bd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
taskkill.exedescription pid process Token: SeDebugPrivilege 1796 taskkill.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
9eaae8e37d67a66203912ee78be8c3bd.execmd.exedescription pid process target process PID 4116 wrote to memory of 1056 4116 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 4116 wrote to memory of 1056 4116 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 4116 wrote to memory of 1056 4116 9eaae8e37d67a66203912ee78be8c3bd.exe cmd.exe PID 1056 wrote to memory of 1796 1056 cmd.exe taskkill.exe PID 1056 wrote to memory of 1796 1056 cmd.exe taskkill.exe PID 1056 wrote to memory of 1796 1056 cmd.exe taskkill.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe"C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f & erase C:\Users\Admin\AppData\Local\Temp\9eaae8e37d67a66203912ee78be8c3bd.exe & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 9eaae8e37d67a66203912ee78be8c3bd.exe /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 19962⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4116 -ip 41161⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\nss3.dllFilesize
5KB
MD5495a92eecfbbcf46235c59d7ff100cda
SHA144fa5971c7b9eded1623130132c8dd80113a9ac4
SHA25664f38a5cd1a66c0e3b2d3f12e9075ad43690f065c2c4cfa67368764538f4b08e
SHA512efb0e860a881a4217fcd8201fb6eeb7ca6ccfcc19a819d03ede5df3a7353a276b63cbe6ab6dff37ba0b54aab85993f32f3e478508302b428520f7c5bce3f298f
-
memory/4116-1-0x00000000023E0000-0x00000000024E0000-memory.dmpFilesize
1024KB
-
memory/4116-2-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB
-
memory/4116-13-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB
-
memory/4116-17-0x00000000023E0000-0x00000000024E0000-memory.dmpFilesize
1024KB
-
memory/4116-43-0x0000000000400000-0x000000000068B000-memory.dmpFilesize
2.5MB