Analysis Overview
SHA256
4355a412e52f33235565e87b52caaae5d9dcd4942ae6eb2fe3a385fab3497cd1
Threat Level: Known bad
The file lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar was found to be: Known bad.
Malicious Activity Summary
Detect Vidar Stealer
Vidar
Stealc
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
Suspicious behavior: MapViewOfSection
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 10:47
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 10:46
Reported
2024-06-28 10:50
Platform
win7-20240221-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
Vidar
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\coml.au3 | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2540 set thread context of 2988 | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe | C:\Windows\SysWOW64\netsh.exe |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh | C:\Windows\SysWOW64\netsh.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\coml.au3 |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netsh.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar"
C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC88EBDA6\Setup.exe"
C:\Windows\SysWOW64\netsh.exe
C:\Windows\SysWOW64\netsh.exe
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Users\Admin\AppData\Local\Temp\coml.au3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 148
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC88FDCD7\ReadMe(!).txt
Network
Files
memory/2540-32-0x0000000140000000-0x00000001407DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\b53721c
| MD5 | 957edcb00ce0b522499f6c799ea11053 |
| SHA1 | b1c91d93701d206820e45118e0df50d34790d27d |
| SHA256 | e4456eea3e2fca53bc2a06fd247eba74bf668c39069d5c821d082ef7dfa03f5d |
| SHA512 | 167cb1c01f28bc40f85d0d8f895346d147a286811550142ebdf659cc4ba92f015d4def386d58adf4c48b1946ee31ddd8dcbef50ba09533889e9ad161c9867eb6 |
memory/2540-40-0x000007FEF5F10000-0x000007FEF6068000-memory.dmp
memory/2540-41-0x000007FEF5F10000-0x000007FEF6068000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fd70d43
| MD5 | 9131a5c0caa4d7c3ec19b7bea3535a3f |
| SHA1 | a100c2102819f79682a3c3c02392ee9292b328ef |
| SHA256 | bad23670a06b14d9dabd9c41b81807cb6dbe17445834e6c89f1aeb1f13eef70d |
| SHA512 | eab43616cae3b0339e9bf575a04ffebb97de11c74bc4cf8c1657800734a3c45c6ec8fd5e6273eecfb273581a7d1a67ebf298b771c2cd2cab2ab1f0522d02ceef |
memory/2988-44-0x0000000077270000-0x0000000077419000-memory.dmp
\Users\Admin\AppData\Local\Temp\coml.au3
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2988-46-0x00000000733A0000-0x0000000073514000-memory.dmp
memory/2800-52-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2800-51-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/2800-54-0x00000000005D0000-0x0000000000D1B000-memory.dmp
memory/2800-61-0x00000000005D0000-0x0000000000D1B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zOC88FDCD7\ReadMe(!).txt
| MD5 | bcd44e1dc4b8c98bfe46334c05c50851 |
| SHA1 | 2312cd4e3279d57c64fbfbfffbc98cc9e0e6b720 |
| SHA256 | 116d7fc2ff0d14b5a94007416a5d78c97d8a8779c6b02b2067a4fce3534f3406 |
| SHA512 | 21ed99c0787e05cb16d5a46db01351aca43abe5a6c6cf82b8a6148f157f454377e7cafcf7336c6c275abd2caab63feb40a312bf416d75c2eca1d7dba3ef34549 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 10:46
Reported
2024-06-28 10:50
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\cmd.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\lntsaII3r_3.1.9_win_64-86.set-up+P0rtbIExten.rar
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |