Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 19:45
Static task
static1
Behavioral task
behavioral1
Sample
#!New_SeTup_2024_UseAs_p@ssKey/Setup.exe
Resource
win10v2004-20240426-en
General
-
Target
#!New_SeTup_2024_UseAs_p@ssKey/Setup.exe
-
Size
8.5MB
-
MD5
98169506fec94c2b12ba9930ad704515
-
SHA1
bce662a9fb94551f648ba2d7e29659957fd6a428
-
SHA256
9b8a5b0a45adf843e24214b46c285e44e73bc6eaf9e2a3b2c14a6d93ae541363
-
SHA512
7f4f7ac2326a1a8b7afc72822dae328753578eb0a4ffcec5adb4e4fb0c49703070f71e7411df221ee9f44d6b43a0a94921fe530877c5d5e71640b807e96def30
-
SSDEEP
196608:vdoUox8PFOegKz+qE1cnuyHgv3eZaOxqeXY4K:vC0O9m7EWEvbOxqetK
Malware Config
Extracted
vidar
2d607fa287d60e8ad23c103ccc60d6b0
https://hypaton.xyz
https://steamcommunity.com/profiles/76561199677575543
https://t.me/snsb82
-
profile_id_v2
2d607fa287d60e8ad23c103ccc60d6b0
-
user_agent
Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) AppleWebKit/534.6 (KHTML, like Gecko) Chrome/8.0.500.0 Safari/534.6
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Detect Vidar Stealer 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1288-45-0x0000000001170000-0x00000000018C3000-memory.dmp family_vidar_v7 behavioral1/memory/1288-48-0x0000000001170000-0x00000000018C3000-memory.dmp family_vidar_v7 behavioral1/memory/1288-55-0x0000000001170000-0x00000000018C3000-memory.dmp family_vidar_v7 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate Setup.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 5064 set thread context of 2844 5064 Setup.exe netsh.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
Processes:
Setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" Setup.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3896 1288 WerFault.exe explorer.exe -
Modifies registry class 9 IoCs
Processes:
Setup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ = "ADOX.Index.6.0" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ThreadingModel = "Apartment" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3} Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32 Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\InprocServer32\ = "C:\\Program Files\\Common Files\\System\\ado\\msadox.dll" Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\ProgID\ = "ADOX.Index.6.0" Setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6EEAF7AB-9B86-0A4B-E9E8-6422E70DF8B3}\VersionIndependentProgID\ = "ADOX.Index.6.0" Setup.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exenetsh.exepid process 5064 Setup.exe 5064 Setup.exe 2844 netsh.exe 2844 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exenetsh.exepid process 5064 Setup.exe 2844 netsh.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Setup.exenetsh.exedescription pid process target process PID 5064 wrote to memory of 2844 5064 Setup.exe netsh.exe PID 5064 wrote to memory of 2844 5064 Setup.exe netsh.exe PID 5064 wrote to memory of 2844 5064 Setup.exe netsh.exe PID 5064 wrote to memory of 2844 5064 Setup.exe netsh.exe PID 2844 wrote to memory of 1288 2844 netsh.exe explorer.exe PID 2844 wrote to memory of 1288 2844 netsh.exe explorer.exe PID 2844 wrote to memory of 1288 2844 netsh.exe explorer.exe PID 2844 wrote to memory of 1288 2844 netsh.exe explorer.exe PID 2844 wrote to memory of 1288 2844 netsh.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#!New_SeTup_2024_UseAs_p@ssKey\Setup.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Registers COM server for autorun
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 15764⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1288 -ip 12881⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8b365030Filesize
5.9MB
MD5f6b9e593d436b91ce68e5eb534ea5a54
SHA11282b0667b69d93fdbfd38097e97286edf807b07
SHA2566892755ec3b27a14278cf63e1d69ceb0f9b0a6b1c8aa84f9aac07e72760dc35e
SHA5120f46e72cfa9eac30cdaa5eaa999c2fdda77945029b5f3f04deb18e199ec3005b0c699c8ae6fe19b2df1f163ac9e10850a79f3098e796b4b6e34aec9205252fd6
-
memory/1288-55-0x0000000001170000-0x00000000018C3000-memory.dmpFilesize
7.3MB
-
memory/1288-48-0x0000000001170000-0x00000000018C3000-memory.dmpFilesize
7.3MB
-
memory/1288-47-0x00007FFB65130000-0x00007FFB65325000-memory.dmpFilesize
2.0MB
-
memory/1288-45-0x0000000001170000-0x00000000018C3000-memory.dmpFilesize
7.3MB
-
memory/2844-44-0x0000000074AF1000-0x0000000074AFF000-memory.dmpFilesize
56KB
-
memory/2844-41-0x0000000074AF1000-0x0000000074AFF000-memory.dmpFilesize
56KB
-
memory/2844-40-0x0000000074AFE000-0x0000000074B00000-memory.dmpFilesize
8KB
-
memory/2844-39-0x00007FFB65130000-0x00007FFB65325000-memory.dmpFilesize
2.0MB
-
memory/5064-14-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-34-0x00007FFB46D28000-0x00007FFB46D29000-memory.dmpFilesize
4KB
-
memory/5064-36-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmpFilesize
1.4MB
-
memory/5064-35-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmpFilesize
1.4MB
-
memory/5064-20-0x00007FFB46D10000-0x00007FFB46E82000-memory.dmpFilesize
1.4MB
-
memory/5064-19-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-16-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-0-0x0000000003F10000-0x00000000040F8000-memory.dmpFilesize
1.9MB
-
memory/5064-17-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-15-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-12-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB
-
memory/5064-10-0x0000000000400000-0x0000000001CF7000-memory.dmpFilesize
25.0MB