vidar | 4de1f09c88032d3ec4421c72b04e07f43edf853e32808c4292929637c44534ef

Analysis

max time kernel
67s
max time network
50s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Size

18.3MB
MD5

90588afa689d1ecdedee6fb57bf5b635
SHA1

1f49217a42a8f75246c6953749441599d6d97007
SHA256

4de1f09c88032d3ec4421c72b04e07f43edf853e32808c4292929637c44534ef
SHA512

eb70df8a0134942f4e295a8ecc15845963ae89323c53f1966f3043d1c9536706729495b25ea81541cc062e6ad57e9753ca87d42555002b9477e40917232aacc6
SSDEEP

393216:9ml9mCKuyLVEvd9LpBXVujtA6UX5K0r+Xh1SgXrnKXzM6Fw:9mzmnuTBBQjtA3XDrCAIT2tFw

Score

10^/10

vidar persistence spyware stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 4 IoCs

Processes:

VW6CywgktXd4l6Y.exeCTS.exeSetupHost.ExeDiagTrackRunner.exe

pid process

984 VW6CywgktXd4l6Y.exe
4380 CTS.exe
1476 SetupHost.Exe
4524 DiagTrackRunner.exe

pid	process
984	VW6CywgktXd4l6Y.exe
4380	CTS.exe
1476	SetupHost.Exe
4524	DiagTrackRunner.exe

Loads dropped DLL 16 IoCs

Processes:

SetupHost.ExeDiagTrackRunner.exe

pid	process
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
1476	SetupHost.Exe
4524	DiagTrackRunner.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CTS.exe2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Drops file in Windows directory 3 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeVW6CywgktXd4l6Y.exe

description	ioc	process
File created	C:\Windows\CTS.exe	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
File created	C:\Windows\CTS.exe	CTS.exe
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	VW6CywgktXd4l6Y.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe

NTFS ADS 1 IoCs

Processes:

SetupHost.Exe

description ioc process

File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SetupHost.Exe

pid process

1476 SetupHost.Exe
1476 SetupHost.Exe
1476 SetupHost.Exe
1476 SetupHost.Exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeCTS.exeVW6CywgktXd4l6Y.exeSetupHost.ExeDiagTrackRunner.exe

description	pid	process
Token: SeDebugPrivilege	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
Token: SeDebugPrivilege	4380	CTS.exe
Token: SeBackupPrivilege	984	VW6CywgktXd4l6Y.exe
Token: SeRestorePrivilege	984	VW6CywgktXd4l6Y.exe
Token: SeBackupPrivilege	984	VW6CywgktXd4l6Y.exe
Token: SeRestorePrivilege	984	VW6CywgktXd4l6Y.exe
Token: SeBackupPrivilege	1476	SetupHost.Exe
Token: SeRestorePrivilege	1476	SetupHost.Exe
Token: SeBackupPrivilege	1476	SetupHost.Exe
Token: SeRestorePrivilege	1476	SetupHost.Exe
Token: SeDebugPrivilege	4524	DiagTrackRunner.exe
Token: SeDebugPrivilege	4524	DiagTrackRunner.exe
Token: SeDebugPrivilege	4524	DiagTrackRunner.exe
Token: SeBackupPrivilege	984	VW6CywgktXd4l6Y.exe
Token: SeRestorePrivilege	984	VW6CywgktXd4l6Y.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

VW6CywgktXd4l6Y.exeSetupHost.Exe

pid process

984 VW6CywgktXd4l6Y.exe
1476 SetupHost.Exe

pid	process
984	VW6CywgktXd4l6Y.exe
1476	SetupHost.Exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exeVW6CywgktXd4l6Y.exeSetupHost.Exe

description	pid	process	target process
PID 4212 wrote to memory of 984	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	VW6CywgktXd4l6Y.exe
PID 4212 wrote to memory of 984	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	VW6CywgktXd4l6Y.exe
PID 4212 wrote to memory of 984	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	VW6CywgktXd4l6Y.exe
PID 4212 wrote to memory of 4380	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 4212 wrote to memory of 4380	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 4212 wrote to memory of 4380	4212	2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe	CTS.exe
PID 984 wrote to memory of 1476	984	VW6CywgktXd4l6Y.exe	SetupHost.Exe
PID 984 wrote to memory of 1476	984	VW6CywgktXd4l6Y.exe	SetupHost.Exe
PID 984 wrote to memory of 1476	984	VW6CywgktXd4l6Y.exe	SetupHost.Exe
PID 1476 wrote to memory of 4524	1476	SetupHost.Exe	DiagTrackRunner.exe
PID 1476 wrote to memory of 4524	1476	SetupHost.Exe	DiagTrackRunner.exe
PID 1476 wrote to memory of 4524	1476	SetupHost.Exe	DiagTrackRunner.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

DiagTrackRunner.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection DiagTrackRunner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_90588afa689d1ecdedee6fb57bf5b635_bkransomware.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\VW6CywgktXd4l6Y.exe
C:\Users\Admin\AppData\Local\Temp\VW6CywgktXd4l6Y.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:984

C:\$Windows.~WS\Sources\SetupHost.Exe
"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1476

C:\$Windows.~WS\Sources\DiagTrackRunner.exe
C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4524

C:\Windows\CTS.exe
"C:\Windows\CTS.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1508

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\DiagTrackRunner.exe
Filesize
77KB

MD5
76f30a1e149792d2542a253b920cbef6

SHA1
9040e0873df5cc2a64b850d1b8159b77528ba62c

SHA256
488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

SHA512
ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

Download Submit
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll
Filesize
14.6MB

MD5
9921c2a0d68a011620bd5916cc11e54d

SHA1
e68c1c59600d28968dafadc300225b3ef8e4ebdc

SHA256
50551abb9775962ff83ee746ad1e399d26fcc1520710c059464ec029466f4696

SHA512
4ff9e0aa32700f4dff46212456cef4bb41dbe37141f4b9e87311013f51ce218080d7cc8b318d18ec633f3e6be73b60e56ba641a75520fbedbf23c9874b28cb9f

Download Submit
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl
Filesize
192KB

MD5
008d008a3484a75e62f2978f0d0d19c7

SHA1
9df8b3e556569f40e086d48c567672d4b121f240

SHA256
d4f745b003121cbf3eb3f90f113bd7c971d1651141818b5237a66b974f38c9ae

SHA512
e88c97e89d569eaded2f8fba123d8394892438b4a2d90ac5676c54240e40c27756d1bd84319471dd6d87ae53ff422e75c82efafa9c4c95044641d471c0cf3a3f

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll
Filesize
1.9MB

MD5
446969e79d71cb6075f26349ac9345bc

SHA1
6efefe6037458e495a07dd86dc68bf788c638ca9

SHA256
26c62d4675f7e35d4741f5277d5b9d40cdcd6fd1cce86ef42c1cc8209f9224c3

SHA512
8b1320207e92e9917addc0f25992dd6a589edea6aa102c51774ef22a387478e96d2903fa73163258668ee7cc2716588ea51f34fba040150b18cdd12f865e9f9d

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe
Filesize
681KB

MD5
a0b1786c1a59ddac1024956723f58a73

SHA1
828d9cdb9cc2b6c49843422da49a14ebbf44d3d5

SHA256
59a5573de59ae41e3781cd66a67281d5b30ff2e39f32d1caeb44ea20971c95c2

SHA512
a017fb73e2a0653a448b802bf049c47613e3beca0c83d3d81c247dc3b33577cabbfd1b78f86dbdc7dbbed143aac95a50924e6b82fd58d4f0a6626fc3c8494ffc

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll
Filesize
678KB

MD5
5492a750f2c92ef126621fe0468b779a

SHA1
64e2d1fafbc008144df94cf3160319e0452d929e

SHA256
2dd7d16db9d71fe0358cd520057d466585802f1d921a791cbfb0e7e607b55b10

SHA512
a354ca3deafda57dfbaa7eb64409e663476a91a37d2e6cfcd06002e7790f40157719ba86b6a9bc4d159b9a9bde71c6a7c3e8f2852ed752d65826fdd8b4881a35

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll
Filesize
6.1MB

MD5
10fe8f9a16755bf9ca3c5e94bfbf7178

SHA1
260c06924a55582d4f4dbdfe7d0bccdd00208f9b

SHA256
2f836af8e4e83992cd1c8aab7820520cac6a6f9796924ac83672b838286724cd

SHA512
c2aa007aaf009d5ad6081ed3fdea44964ed3a865aec9886dee1fa9bda424bf74135fd5c214a293897c561d8263c2528508bd01dda88c0c43cc3480146136d110

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.ini
Filesize
95B

MD5
8175bd7fb6b7d8dc27a752e178111caf

SHA1
4cea602c084ac59a1a5933276891098541b94d57

SHA256
7677590d96552484430ba542857ef75e624333b29585d4401a12b7823190e49f

SHA512
27eefa37a81c0ff9e7f692c7797dcb26c176046c6eecae2b205e75b360d6732a0abc68b8ac0346ca787ca724ddc881b329755f78d6caf1de6f522561a616d5df

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll
Filesize
193KB

MD5
8929e1ce63abc413ab88f31f3a45aba2

SHA1
49f37061d17cbe0482255aacfdabf10e67839ecb

SHA256
80e3c3f207d0df8424711c133ad10082ca36ce2b5a6a19a179473aa994cc7161

SHA512
3e8212e63595e0f3b1e661f4c7e0c839e9535777eea86b85dc1aad5b3eaa767652d96ead2b8d7fffefaaffcc621e0a20ef0d75120700ee2715af0b8860161cb5

Download Submit
C:\$Windows.~WS\Sources\WDSUTIL.dll
Filesize
232KB

MD5
66190a933f32c6521a08c6ea76ac0fe3

SHA1
3b1a6786e900f4f4e9ca52fdbf50cc0b0cbfd9de

SHA256
d9599ce02d1096fe3bc9bbfa8e5cc9dd859aad04bc725522eb9c8c25ca408df9

SHA512
fc54735c1a1666176d23f8c8c2390b0cf4bfd0940dcb1fe7099e39ffbb80bcfbaca707b4cf95039fe42ae8eb5293b141ecfdfd0a47c035db9b51f077694c84fe

Download Submit
C:\$Windows.~WS\Sources\WinDlp.dll
Filesize
1.1MB

MD5
6ca8df94e48799196c24b7274a48fdaa

SHA1
0cb34852203277829668db49afc5d25bd382f8ba

SHA256
0e516b94bd3014d82f20c680b205c915ad528e31522c1cd6d2c6c2c5b814d6a7

SHA512
e5b7c46b155713a21690cba3f1a4f4e4b3d4613fffeea335d57a97701d993cb846bbc51fbea0038f7c7cbc734b3764a270196a26adde77134571d0524a5e7038

Download Submit
C:\$Windows.~WS\Sources\diagtrack.dll
Filesize
901KB

MD5
6c3f6a6bc5ede978e9dfe1acce386339

SHA1
3b7b51d762c593e92123f9365a896ed64ee26a7a

SHA256
b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

SHA512
3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg
Filesize
8KB

MD5
1405595a81a70c012ace6b3f618351b2

SHA1
9b398dbddef2a0c048790f6ca4be57899f0f71c0

SHA256
ac6d806551c43ec35edf3f4b3eb38040f40c3bf216bc635e2af45ee05e3a6d43

SHA512
a91e4c416a8c25e0462a5c5f71760b3fc81ad801f89af5bbedada02d52f8a77c67c9174d6583d54c4ce62ca655ef73f8b43104b22e2b1ed44f2c3ecc0f8ceb4d

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll
Filesize
827KB

MD5
9aebdb604a0cec305568f2742cc6a3d2

SHA1
851ebeedcdb9a4d5ac7ec6f2bc9b84b1964681d9

SHA256
82dde9532b94bc51748660270048aa29d635da2ae84df001a3d6c31cd1995c93

SHA512
3dfbfe9e7b23f1f792c0cad1334ddbdd2bd54ae5f870652e95ef1fbd5a7451a8059af223c43429bf8fe992e8cd46997a9774b1c103ff49b962d7a371d679a9cb

Download Submit
C:\$Windows.~WS\Sources\wpx.dll
Filesize
1.0MB

MD5
c963819dd589b833b2fde3b9e08605f3

SHA1
72613ba4e8161fb8a6d0e0237e397285747a1e72

SHA256
b59fc5c1c9e366d0cb8debe53359de9d38d5caab7e3f9b3e90519b92ac4c98e6

SHA512
5181bc5d277216c383de6bbf6d7fac3975b063505b673db1d1e23400209cbffff96d5932020641ea5f14b0c3e303c49b0a2fbf199e2a0397ae7610be697d97d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\excel.exe_Rules.xml
Filesize
394KB

MD5
db20b9702aaea73031dda281717e1f71

SHA1
ca3e8618fe46fecbb0eabe70a074003f401497fc

SHA256
6be1b5769a4d1c719b5c3adffe9bde72e32801431f92e228cc8ef082c4dfb5f0

SHA512
867ae7b8c336cddc8aff9d8f8175b079f5087c11f924b0b2e75722dd253263d38a72b66ad611a39ad47e6617609f21e20bd16d93b260fa3603bc885536e5a004

Download Submit
C:\Users\Admin\AppData\Local\Temp\VW6CywgktXd4l6Y.exe
Filesize
18.2MB

MD5
db3fccad4aead91689d62822232d56bc

SHA1
c00ecaf95ed3b727aae581d41af99b5fbc762865

SHA256
aa8b68133931e76ca58944641084943c60e0954bd6c829bd9c670284da071ca4

SHA512
8960b2c95db3a09ae2d7abf820ea45e7100959f20ccd7edcca9ec5028d684b28de3ac6ecdae834150d40b91c1c264ad29bc2288d388b528b970c0f7531acf909

Download Submit
C:\Windows\CTS.exe
Filesize
71KB

MD5
f9d4ab0a726adc9b5e4b7d7b724912f1

SHA1
3d42ca2098475924f70ee4a831c4f003b4682328

SHA256
b43be87e8586ca5e995979883468f3b3d9dc5212fbfd0b5f3341a5b7c56e0fbc

SHA512
22a5f0e4b2716244e978ee50771823926f86baf0382ece48fd049f039cf77b5eb0691d83c61148903cff081fdbea969f47b8ed521647717f42bbed5c64552432

Download Submit