Overview
overview
10Static
static
1#!~#0PEn_9...up.exe
windows7-x64
10#!~#0PEn_9...up.exe
windows10-2004-x64
10#!~#0PEn_9...sh.apk
windows7-x64
1#!~#0PEn_9...sh.apk
windows10-2004-x64
1#!~#0PEn_9...c_.dll
windows7-x64
1#!~#0PEn_9...c_.dll
windows10-2004-x64
1#!~#0PEn_9...m_.dll
windows7-x64
1#!~#0PEn_9...m_.dll
windows10-2004-x64
1#!~#0PEn_9...t_.dll
windows7-x64
1#!~#0PEn_9...t_.dll
windows10-2004-x64
1#!~#0PEn_9...20.dll
windows7-x64
3#!~#0PEn_9...20.dll
windows10-2004-x64
3#!~#0PEn_9...20.dll
windows7-x64
1#!~#0PEn_9...20.dll
windows10-2004-x64
1#!~#0PEn_9...20.dll
windows7-x64
3#!~#0PEn_9...20.dll
windows10-2004-x64
3#!~#0PEn_9...40.dll
windows7-x64
3#!~#0PEn_9...40.dll
windows10-2004-x64
3#!~#0PEn_9...pp.dll
windows7-x64
1#!~#0PEn_9...pp.dll
windows10-2004-x64
3#!~#0PEn_9...1].exe
windows7-x64
1#!~#0PEn_9...1].exe
windows10-2004-x64
1#!~#0PEn_9...1].exe
windows7-x64
1#!~#0PEn_9...1].exe
windows10-2004-x64
3#!~#0PEn_9...1].exe
windows7-x64
1#!~#0PEn_9...1].exe
windows10-2004-x64
1#!~#0PEn_9...-1.dll
windows10-2004-x64
1#!~#0PEn_9...-0.dll
windows10-2004-x64
1#!~#0PEn_9...-0.dll
windows10-2004-x64
1#!~#0PEn_9...-0.dll
windows10-2004-x64
1#!~#0PEn_9...-0.dll
windows10-2004-x64
1#!~#0PEn_9...-0.dll
windows10-2004-x64
1Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 14:48
Static task
static1
Behavioral task
behavioral1
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/Setup.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/Setup.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/coalfish.apk
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/coalfish.apk
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/madbasic_.dll
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/madbasic_.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral7
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/maddisAsm_.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/maddisAsm_.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/madexcept_.dll
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/madexcept_.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral11
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/rtl120.dll
Resource
win7-20240611-en
Behavioral task
behavioral12
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/rtl120.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcl120.dll
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcl120.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vclx120.dll
Resource
win7-20240611-en
Behavioral task
behavioral16
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vclx120.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral17
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcruntime140.dll
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcruntime140.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral19
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcruntime140_app.dll
Resource
win7-20240611-en
Behavioral task
behavioral20
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/vcruntime140_app.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/HDHelper_[0MB]_[1].exe
Resource
win7-20231129-en
Behavioral task
behavioral22
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/HDHelper_[0MB]_[1].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/NvStereoUtilityOGL_[1MB]_[1].exe
Resource
win7-20240419-en
Behavioral task
behavioral24
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/NvStereoUtilityOGL_[1MB]_[1].exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/VSLauncher_[0MB]_[1].exe
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/VSLauncher_[0MB]_[1].exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral27
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-processthreads-l1-1-1.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral28
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-profile-l1-1-0.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-rtlsupport-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral30
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-string-l1-1-0.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-synch-l1-1-0.dll
Resource
win10v2004-20240611-en
Behavioral task
behavioral32
Sample
#!~#0PEn_9797_P@$SW0rd~!^!!$/x86/api-ms-win-core-synch-l1-2-0.dll
Resource
win10v2004-20240508-en
General
-
Target
#!~#0PEn_9797_P@$SW0rd~!^!!$/Setup.exe
-
Size
2.3MB
-
MD5
5d52ef45b6e5bf144307a84c2af1581b
-
SHA1
414a899ec327d4a9daa53983544245b209f25142
-
SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616
-
SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48
-
SSDEEP
49152:DzO+g39FbI0eQf/Z3CarWedoYAmXviDTMtT2wkqN5K:DzO19Fnf/hdoYAm9ZkqN5K
Malware Config
Extracted
stealc
Signatures
-
Detect Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2828-34-0x0000000000B30000-0x000000000127C000-memory.dmp family_vidar_v7 behavioral1/memory/2828-43-0x0000000000B30000-0x000000000127C000-memory.dmp family_vidar_v7 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Setup.exedescription pid process target process PID 2052 set thread context of 1800 2052 Setup.exe netsh.exe -
Loads dropped DLL 9 IoCs
Processes:
netsh.exedcom.au3WerFault.exepid process 1800 netsh.exe 2828 dcom.au3 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe 2772 WerFault.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2772 2828 WerFault.exe dcom.au3 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Setup.exenetsh.exepid process 2052 Setup.exe 2052 Setup.exe 1800 netsh.exe 1800 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Setup.exenetsh.exepid process 2052 Setup.exe 1800 netsh.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
Setup.exenetsh.exedcom.au3description pid process target process PID 2052 wrote to memory of 1800 2052 Setup.exe netsh.exe PID 2052 wrote to memory of 1800 2052 Setup.exe netsh.exe PID 2052 wrote to memory of 1800 2052 Setup.exe netsh.exe PID 2052 wrote to memory of 1800 2052 Setup.exe netsh.exe PID 2052 wrote to memory of 1800 2052 Setup.exe netsh.exe PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 1800 wrote to memory of 2828 1800 netsh.exe dcom.au3 PID 2828 wrote to memory of 2772 2828 dcom.au3 WerFault.exe PID 2828 wrote to memory of 2772 2828 dcom.au3 WerFault.exe PID 2828 wrote to memory of 2772 2828 dcom.au3 WerFault.exe PID 2828 wrote to memory of 2772 2828 dcom.au3 WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\#!~#0PEn_9797_P@$SW0rd~!^!!$\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Loads dropped DLL
- Event Triggered Execution: Netsh Helper DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcom.au3C:\Users\Admin\AppData\Local\Temp\dcom.au33⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 1484⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\83edb132Filesize
6.8MB
MD520233f925c44eda22f83727c6eebe376
SHA13efd0b0161a0314d3061bc94db9b92da1cecb671
SHA2563c8a28f017c8e76f29a32d33dfb8b6a1c1706c94d371e4abcac462abd6ac2255
SHA512dc82cb6189c22a8d383e479deea3772d5b4a2f4d6bc0eaabe735ad109588fe5f744849008976caf6560645493a7af2f55f1723b237d3da126b57f17aaafb9051
-
\Users\Admin\AppData\Local\Temp\dcom.au3Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
memory/1800-25-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/1800-20-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/1800-26-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/1800-23-0x0000000076FC0000-0x0000000077169000-memory.dmpFilesize
1.7MB
-
memory/2052-18-0x0000000057000000-0x000000005703F000-memory.dmpFilesize
252KB
-
memory/2052-15-0x0000000050000000-0x0000000050116000-memory.dmpFilesize
1.1MB
-
memory/2052-22-0x0000000050310000-0x0000000050349000-memory.dmpFilesize
228KB
-
memory/2052-19-0x0000000050120000-0x000000005030D000-memory.dmpFilesize
1.9MB
-
memory/2052-21-0x0000000057800000-0x0000000057812000-memory.dmpFilesize
72KB
-
memory/2052-11-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/2052-17-0x0000000059800000-0x000000005986E000-memory.dmpFilesize
440KB
-
memory/2052-10-0x00000000740F2000-0x00000000740F4000-memory.dmpFilesize
8KB
-
memory/2052-14-0x0000000000400000-0x0000000000698000-memory.dmpFilesize
2.6MB
-
memory/2052-0-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/2052-12-0x00000000740E0000-0x0000000074254000-memory.dmpFilesize
1.5MB
-
memory/2052-1-0x0000000076FC0000-0x0000000077169000-memory.dmpFilesize
1.7MB
-
memory/2828-32-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2828-31-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmpFilesize
4KB
-
memory/2828-34-0x0000000000B30000-0x000000000127C000-memory.dmpFilesize
7.3MB
-
memory/2828-43-0x0000000000B30000-0x000000000127C000-memory.dmpFilesize
7.3MB