Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
17-04-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
11dcd8e017b0e067e922cfb6507a8dde.exe
Resource
win7-20240215-en
General
-
Target
11dcd8e017b0e067e922cfb6507a8dde.exe
-
Size
421KB
-
MD5
11dcd8e017b0e067e922cfb6507a8dde
-
SHA1
80c4e499c9666401a0f9099482c7fa9debe006d5
-
SHA256
2809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
-
SHA512
52b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
SSDEEP
6144:CD9LLLaXO4MxL2D1i3VZUk2IzXd4wFNOC0JaNv8S3+FMgSx3U:CDRnsMSB+3U3IztPjzkS3Bpx
Malware Config
Extracted
amadey
4.18
-
install_dir
154561dcbf
-
install_file
Dctooux.exe
-
strings_key
2cd47fa043c815e1a033c67832f3c6a5
-
url_paths
/j4Fvskd3/index.php
Extracted
vidar
https://steamcommunity.com/profiles/76561199673019888
https://t.me/irfail
-
user_agent
Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Extracted
asyncrat
0.5.8
Default
94.228.162.82:6606
94.228.162.82:7707
94.228.162.82:8808
YBc01FE5mcOd
-
delay
3
-
install
true
-
install_file
appBroker.exe
-
install_folder
%AppData%
Signatures
-
Detect Vidar Stealer 7 IoCs
resource yara_rule behavioral1/memory/2936-55-0x00000000002B0000-0x00000000002E5000-memory.dmp family_vidar_v7 behavioral1/memory/2936-56-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/2936-194-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/2936-195-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/files/0x00060000000165f0-202.dat family_vidar_v7 behavioral1/memory/1732-246-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 behavioral1/memory/1732-336-0x0000000000400000-0x0000000002C2E000-memory.dmp family_vidar_v7 -
Detect ZGRat V1 2 IoCs
resource yara_rule behavioral1/memory/1516-373-0x00000000064E0000-0x000000000657C000-memory.dmp family_zgrat_v1 behavioral1/memory/1516-397-0x0000000005490000-0x00000000054F2000-memory.dmp family_zgrat_v1 -
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x0008000000016cf5-270.dat family_asyncrat -
Blocklisted process makes network request 1 IoCs
flow pid Process 33 2672 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 5 IoCs
pid Process 2548 Dctooux.exe 2936 vidar.exe 1732 vidar.exe 2916 AsyncClient.exe 1516 appBroker.exe -
Loads dropped DLL 25 IoCs
pid Process 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 2548 Dctooux.exe 2548 Dctooux.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 1528 rundll32.exe 2548 Dctooux.exe 2548 Dctooux.exe 2548 Dctooux.exe 2744 rundll32.exe 2744 rundll32.exe 2744 rundll32.exe 2744 rundll32.exe 2548 Dctooux.exe 2116 cmd.exe 2604 rundll32.exe 2604 rundll32.exe 2604 rundll32.exe 2604 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000104100\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\1000105010\\build.dll, Main" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\AsyncClient.exe = "C:\\Users\\Admin\\AppData\\Roaming\\1000107000\\AsyncClient.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\vidar.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000101001\\vidar.exe" Dctooux.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\build.dll = "rundll32 C:\\Users\\Admin\\AppData\\Local\\Temp\\1000102011\\build.dll, Main" Dctooux.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Dctooux.job 11dcd8e017b0e067e922cfb6507a8dde.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 828 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1196 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vidar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 vidar.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a vidar.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2916 AsyncClient.exe 2916 AsyncClient.exe 2916 AsyncClient.exe 2672 rundll32.exe 2672 rundll32.exe 2672 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2916 AsyncClient.exe Token: SeDebugPrivilege 1516 appBroker.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2240 11dcd8e017b0e067e922cfb6507a8dde.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2548 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 2240 wrote to memory of 2548 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 2240 wrote to memory of 2548 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 2240 wrote to memory of 2548 2240 11dcd8e017b0e067e922cfb6507a8dde.exe 28 PID 2548 wrote to memory of 2936 2548 Dctooux.exe 30 PID 2548 wrote to memory of 2936 2548 Dctooux.exe 30 PID 2548 wrote to memory of 2936 2548 Dctooux.exe 30 PID 2548 wrote to memory of 2936 2548 Dctooux.exe 30 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 1528 2548 Dctooux.exe 35 PID 2548 wrote to memory of 2356 2548 Dctooux.exe 36 PID 2548 wrote to memory of 2356 2548 Dctooux.exe 36 PID 2548 wrote to memory of 2356 2548 Dctooux.exe 36 PID 2548 wrote to memory of 2356 2548 Dctooux.exe 36 PID 2548 wrote to memory of 1732 2548 Dctooux.exe 37 PID 2548 wrote to memory of 1732 2548 Dctooux.exe 37 PID 2548 wrote to memory of 1732 2548 Dctooux.exe 37 PID 2548 wrote to memory of 1732 2548 Dctooux.exe 37 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2744 2548 Dctooux.exe 38 PID 2548 wrote to memory of 2916 2548 Dctooux.exe 39 PID 2548 wrote to memory of 2916 2548 Dctooux.exe 39 PID 2548 wrote to memory of 2916 2548 Dctooux.exe 39 PID 2548 wrote to memory of 2916 2548 Dctooux.exe 39 PID 2916 wrote to memory of 1756 2916 AsyncClient.exe 41 PID 2916 wrote to memory of 1756 2916 AsyncClient.exe 41 PID 2916 wrote to memory of 1756 2916 AsyncClient.exe 41 PID 2916 wrote to memory of 1756 2916 AsyncClient.exe 41 PID 2916 wrote to memory of 2116 2916 AsyncClient.exe 43 PID 2916 wrote to memory of 2116 2916 AsyncClient.exe 43 PID 2916 wrote to memory of 2116 2916 AsyncClient.exe 43 PID 2916 wrote to memory of 2116 2916 AsyncClient.exe 43 PID 2116 wrote to memory of 1196 2116 cmd.exe 45 PID 2116 wrote to memory of 1196 2116 cmd.exe 45 PID 2116 wrote to memory of 1196 2116 cmd.exe 45 PID 2116 wrote to memory of 1196 2116 cmd.exe 45 PID 1756 wrote to memory of 828 1756 cmd.exe 46 PID 1756 wrote to memory of 828 1756 cmd.exe 46 PID 1756 wrote to memory of 828 1756 cmd.exe 46 PID 1756 wrote to memory of 828 1756 cmd.exe 46 PID 2116 wrote to memory of 1516 2116 cmd.exe 47 PID 2116 wrote to memory of 1516 2116 cmd.exe 47 PID 2116 wrote to memory of 1516 2116 cmd.exe 47 PID 2116 wrote to memory of 1516 2116 cmd.exe 47 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2548 wrote to memory of 2604 2548 Dctooux.exe 48 PID 2604 wrote to memory of 2672 2604 rundll32.exe 49 PID 2604 wrote to memory of 2672 2604 rundll32.exe 49 PID 2604 wrote to memory of 2672 2604 rundll32.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"C:\Users\Admin\AppData\Local\Temp\11dcd8e017b0e067e922cfb6507a8dde.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"C:\Users\Admin\AppData\Local\Temp\1000101001\vidar.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2936
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\1000102011\build.dll, Main3⤵
- Loads dropped DLL
PID:1528
-
-
C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"C:\Users\Admin\AppData\Local\Temp\154561dcbf\Dctooux.exe"3⤵PID:2356
-
-
C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"C:\Users\Admin\AppData\Roaming\1000104100\vidar.exe"3⤵
- Executes dropped EXE
- Modifies system certificate store
PID:1732
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1000105010\build.dll, Main3⤵
- Loads dropped DLL
PID:2744
-
-
C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"C:\Users\Admin\AppData\Roaming\1000107000\AsyncClient.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "appBroker" /tr '"C:\Users\Admin\AppData\Roaming\appBroker.exe"'5⤵
- Creates scheduled task(s)
PID:828
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:1196
-
-
C:\Users\Admin\AppData\Roaming\appBroker.exe"C:\Users\Admin\AppData\Roaming\appBroker.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1516
-
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\system32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\810b84e2bfa3a9\cred64.dll, Main4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2672 -
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵PID:2676
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52708f99555a19f62161d1ec74b98b025
SHA1bee3c268c1edc30dac20df7fbc0d96927ce1cc42
SHA256c69168882c16d825b72a3187da94dc7981b4cc26e9377f40aee4dbd61371af07
SHA512c934526e5df8573c34510c72fbf7f95b4512b1aa4a488787dc69dfe932189599c720f973716f09215346fa18bbe5c09ec8b2ccf735858a799b25a43c500dfbd8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5def1a3452107faeeac2e09e0a4c0c4f5
SHA1ee2ec5ded1799471c8e4d59f33b247d9a2f49f71
SHA256649f6ca82a92705c13ef05e5e72b7809c19861809f83c3ea7fa82c02dcc19b33
SHA5120e4e8a2a0b6a3335c1d57d7656bf831ebcd47d5e5d7972f7f671b3bd6d0fbccddb44544b8053d8edec85ef8f1877104c8d72f45532641ca7cba5aeb64daeb31f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5a3aa3f98d2bd55d77772562dd0deab3e
SHA1942ff9f21a5cfa4a701345539bd869c4360e6e42
SHA25619c01700c14a839d796a17a03885b33abba850f194da07371c17d722ed5d3827
SHA51286778e0a7aa2f0d7439f6100a1af7078ab9a80ed8e83b6e36f403bc7b4cd2e292d3b0ea65d4f96115ac5536230c76e750162b2c9659955fb4b3dc9b1d63eddb6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\902LKC6A\76561199673019888[1].htm
Filesize33KB
MD5c2d3beea5e1fa27b3fc1d4a3584dacf2
SHA1848c4db90300cd6f08188b8045c0bba40f309bb1
SHA256345fbfb05b3d1966a6d26463a5a542f2d6d62658982352705d735f546b1cf291
SHA512996fdc6929fce1aeaad7d93c6a2436137d67c7c7ab7ed0b60e389542e4cf6e620407dfac6cf68f0184aadd94975ac4f3737765c9db2110a6bffcbf002fea0739
-
Filesize
300KB
MD5b099ea0b80ecf49caa0d7003e0c95071
SHA1228a2aec5cf27fd0fca1f23161257f86bd8359ca
SHA256810ea612d81f4c82b81696d55fc6b5c3778d48d9dafc59419b45e2a7aa8abd92
SHA512539ecc374f1c65cac5ec624f9be31f2ed26f268316613630ba48c813b515455c299abdb593fab6ec0759f70a1a72fe42134257488a54c83c850396cc38236029
-
Filesize
243KB
MD537976db9d0e6f8bf9db5ae4b56006d9d
SHA1dda3158d09c332c054d01fa08ad9824cb00c7d6a
SHA2562570478de33fd8035affc8658600653e13961eb0e378c27cdd462fb5ca90c687
SHA512fb09c0a37f72f6f7cec57660f386c0a4042070b2db247e7638c426c44aba39b5f2bd09bbe2baf5ad5973de405e1aa60cc2a4e964e33776c0f0f930b60469af47
-
Filesize
421KB
MD511dcd8e017b0e067e922cfb6507a8dde
SHA180c4e499c9666401a0f9099482c7fa9debe006d5
SHA2562809ff11620a7793560052c4a9c7f2b520b608f3d32c7722133cbeb60e5e9d70
SHA51252b3b17b4d589f9c8fa8dd6b97607b09b84f61cfc7031ac7b9c6f8e348a20f35785e602020e2c0808374f194226eb7bc41cc9d26e7ba37ca9454f54ed2d443f0
-
Filesize
62KB
MD56d9522c9251f292af2c380ff042fde38
SHA13038da236ae759a7dd67cd2f2ddcdf537e266b5a
SHA256f70795f1e0061f2a7bcfb337ac10313c514abb55053dc10092ce428036e21107
SHA5124ed4ce0bd24541539cbbac2f9e1c32250f20ccd2bd005515d1ba1bf50f66fc7ccb7ba77a890962af2eb39198d9a5e6c5b1563bc1541fbfad25e80c57ed6a5989
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
153B
MD5483005d6b92b516b1564868184cddb86
SHA159dbb37843bbdfafef6b1be8123ed228493968ba
SHA2561a668230519b3f83596da41024b12550b92e39acbb029995eb3f29fde3994fd0
SHA5127fa093f068b6a9a10f1078927ef3f7d06ca2024d388bdcb948b01180e468f4ab560ebe06716d4c45c274c6f8c159767358ede6178182a78fdfa6e667c857fff5
-
Filesize
48KB
MD57fd8581748cdf137023ef96f1286ce0f
SHA1c640bcbbebbe62c2a58235d1e6f9ec7eeb99387a
SHA2560b685b0d52d434ab8311127daa63ae5597f7948d5a73016a1f8211587040b9a6
SHA512bd4c7c3f646e4685fc750f69ca5b9af6d542ee4d22db1b9ae3b379b659d415e3f9895bde81f40448f927662ede5cd87fe0f85234134b519c9aa7900f1b811282
-
Filesize
1.2MB
MD54876ee75ce2712147c41ff1277cd2d30
SHA13733dc92318f0c6b92cb201e49151686281acda6
SHA256bbfba2d40f48c16a53b5806555c08aff1982c3fe4a77964963edbab9d7e672ed
SHA5129bf25d4d0dfebd287b0c84abb64612b3db00a26b0217490b35925e77487d6c872632c936cedf1205c46ecbf9d4dfc9bc7600bee05afc550b30ae0d0964c5afe9