Malware Analysis Report

2024-09-09 17:59

Sample ID 240618-qaccmsvbnc
Target #Nḙw_PCŜétup-44017-Pa$$wrD!!.rar
SHA256 1606dc0cfa75904afa9a73126bb35935db1c49944542108f4dd4c95b06dedad4
Tags
stealc vidar discovery persistence privilege_escalation spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1606dc0cfa75904afa9a73126bb35935db1c49944542108f4dd4c95b06dedad4

Threat Level: Known bad

The file #Nḙw_PCŜétup-44017-Pa$$wrD!!.rar was found to be: Known bad.

Malicious Activity Summary

stealc vidar discovery persistence privilege_escalation spyware stealer

Vidar

Stealc

Detect Vidar Stealer

Reads data files stored by FTP clients

Checks computer location settings

Suspicious use of SetThreadContext

Loads dropped DLL

Checks installed software on the system

Program crash

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-18 13:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 13:03

Reported

2024-06-18 13:06

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Reads data files stored by FTP clients

spyware stealer

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3444 set thread context of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe

Checks installed software on the system

discovery

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\dcom.au3 N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3444 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 3444 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 3444 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 3444 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2932 wrote to memory of 4836 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2932 wrote to memory of 4836 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2932 wrote to memory of 4836 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2932 wrote to memory of 4836 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2932 wrote to memory of 4836 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 4836 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 4836 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\cmd.exe
PID 1188 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1188 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1188 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Set-up.exe" & rd /s /q "C:\ProgramData\AEHIJDAFBKFH" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 10

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 poocoin.online udp
US 8.8.8.8:53 t.me udp

Files

memory/3444-0-0x0000000074860000-0x00000000749DB000-memory.dmp

memory/3444-1-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

memory/3444-7-0x0000000074872000-0x0000000074874000-memory.dmp

memory/3444-8-0x0000000074860000-0x00000000749DB000-memory.dmp

memory/3444-9-0x0000000074860000-0x00000000749DB000-memory.dmp

memory/3444-12-0x0000000050000000-0x0000000050116000-memory.dmp

memory/3444-11-0x0000000000400000-0x0000000000421000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a98a59fb

MD5 01a2dc15ad631cf4f19a0a632b3c2953
SHA1 163ff9516ee5860bd7b835d145ef6c858bb783f1
SHA256 c63c562c151989b9e4f189be49aa1fd7ac01e944a0572de56f78a3bf0b2eeef5
SHA512 0486ff86de7cbf485f02bbd5d75cd55cf1864d5af37afc983ebfa463c219ce9216d8f0eb6cc6f7c63c70af71ce9ecff282e7fbd9e53eee46d694cbd647b8c474

memory/2932-15-0x0000000074861000-0x000000007486F000-memory.dmp

memory/3444-13-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2932-16-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

memory/2932-19-0x0000000074861000-0x000000007486F000-memory.dmp

memory/2932-18-0x000000007486E000-0x0000000074870000-memory.dmp

memory/2932-23-0x0000000074861000-0x000000007486F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/4836-25-0x0000000001200000-0x000000000194B000-memory.dmp

memory/4836-27-0x00007FFA16B10000-0x00007FFA16D05000-memory.dmp

memory/4836-28-0x0000000001200000-0x000000000194B000-memory.dmp

memory/4836-30-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4836-48-0x0000000001200000-0x000000000194B000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 13:03

Reported

2024-06-18 13:06

Platform

win7-20240611-en

Max time kernel

142s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

Signatures

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

Vidar

stealer vidar

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2208 set thread context of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2208 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\Set-up.exe C:\Windows\SysWOW64\netsh.exe
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2452 wrote to memory of 2700 N/A C:\Windows\SysWOW64\netsh.exe C:\Users\Admin\AppData\Local\Temp\dcom.au3
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe
PID 2700 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Local\Temp\dcom.au3 C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Set-up.exe

"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\SysWOW64\netsh.exe

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Users\Admin\AppData\Local\Temp\dcom.au3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 148

Network

N/A

Files

memory/2208-0-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2208-1-0x0000000077BC0000-0x0000000077D69000-memory.dmp

memory/2208-8-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2208-7-0x0000000075152000-0x0000000075154000-memory.dmp

memory/2208-9-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2208-11-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2208-12-0x0000000050000000-0x0000000050116000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1c19c7a9

MD5 7ed54198bda746599a5788072b9247f2
SHA1 1fe89523461c43eb27c5cf840ca203ae11401dc5
SHA256 ffaa32576d538d2be9d5956f3d9df3c058bb35b26363318338e4500c34ae7555
SHA512 59db7942dfd0b253004bb73c26e2abfb93b58d7c78202b4ff6ea4a738104f90d5b91097541c191157ba5351fc2bdd22e2b0be8b3fa64290e2a14bf0f621deb23

memory/2452-14-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2208-13-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2452-16-0x0000000077BC0000-0x0000000077D69000-memory.dmp

memory/2452-18-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2452-19-0x0000000075140000-0x00000000752B4000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcom.au3

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2700-25-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2700-24-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2452-26-0x0000000075140000-0x00000000752B4000-memory.dmp

memory/2700-28-0x0000000000A60000-0x00000000011AB000-memory.dmp

memory/2700-37-0x0000000000A60000-0x00000000011AB000-memory.dmp