vidar | 8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e

Analysis

max time kernel
145s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
Size

18.4MB
MD5

d0ba2b1c91124ee4a250c6c53f545f1f
SHA1

0352292fc21c8dd442358f2ff4fa8eded01b7dca
SHA256

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e
SHA512

99d45e22f36f15777e789e54d6a5410a335bd344d009d863afd3c35ce53a6f4811b7e40f912b6da35725e121fff11e51a3fb9659a45a2f7701afc9ab407d7399
SSDEEP

196608:gTBne2w95/Ry70HesbbUkMgDgT86liKXscCW3usLRFK0tGxxK9:F955lHPboLg8YlmJC2LRg0tGxx

Score

10^/10

vidar stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 2 IoCs

Processes:

SetupHost.ExeDiagTrackRunner.exe

pid process

4500 SetupHost.Exe
4840 DiagTrackRunner.exe

Loads dropped DLL 16 IoCs

Processes:

SetupHost.ExeDiagTrackRunner.exe

pid	process
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4500	SetupHost.Exe
4840	DiagTrackRunner.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	SetupHost.Exe

Drops file in Windows directory 1 IoCs

Processes:

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupHost.Exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupHost.Exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	SetupHost.Exe

NTFS ADS 1 IoCs

Processes:

SetupHost.Exe

description ioc process

File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SetupHost.Exe

pid process

4500 SetupHost.Exe
4500 SetupHost.Exe
4500 SetupHost.Exe
4500 SetupHost.Exe

description	ioc	process
File created	C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA	SetupHost.Exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exeSetupHost.ExeDiagTrackRunner.exe

description	pid	process
Token: SeBackupPrivilege	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
Token: SeRestorePrivilege	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
Token: SeBackupPrivilege	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
Token: SeRestorePrivilege	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
Token: SeBackupPrivilege	4500	SetupHost.Exe
Token: SeRestorePrivilege	4500	SetupHost.Exe
Token: SeBackupPrivilege	4500	SetupHost.Exe
Token: SeRestorePrivilege	4500	SetupHost.Exe
Token: SeDebugPrivilege	4840	DiagTrackRunner.exe
Token: SeDebugPrivilege	4840	DiagTrackRunner.exe
Token: SeDebugPrivilege	4840	DiagTrackRunner.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exeSetupHost.Exe

pid process

2236 8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
4500 SetupHost.Exe

pid	process
2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
4500	SetupHost.Exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exeSetupHost.Exe

description	pid	process	target process
PID 2236 wrote to memory of 4500	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe	SetupHost.Exe
PID 2236 wrote to memory of 4500	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe	SetupHost.Exe
PID 2236 wrote to memory of 4500	2236	8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe	SetupHost.Exe
PID 4500 wrote to memory of 4840	4500	SetupHost.Exe	DiagTrackRunner.exe
PID 4500 wrote to memory of 4840	4500	SetupHost.Exe	DiagTrackRunner.exe
PID 4500 wrote to memory of 4840	4500	SetupHost.Exe	DiagTrackRunner.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

DiagTrackRunner.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection DiagTrackRunner.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection	DiagTrackRunner.exe

C:\Users\Admin\AppData\Local\Temp\8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe
"C:\Users\Admin\AppData\Local\Temp\8237794f0fffb298040ed59045b679579fa6e1b66703ec2bf5353e71499c663e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236
- C:\$Windows.~WS\Sources\SetupHost.Exe
  "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\$Windows.~WS\Sources\DiagTrackRunner.exe
    C:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:4840

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\DiagTrackRunner.exe

Filesize
77KB

MD5
76f30a1e149792d2542a253b920cbef6

SHA1
9040e0873df5cc2a64b850d1b8159b77528ba62c

SHA256
488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159

SHA512
ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84

Download Submit
C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
14.8MB

MD5
05a4f65d4063109b00b43e4d1158109d

SHA1
9c6b4396eda551415c6e74e3640c3f60029482f1

SHA256
d0803c8bca43360cbfdaffa2709b73bbda4da3eda90abc2d17289b7a1b80c93b

SHA512
0b0c950e90f3a9e82a66faa9d9d3e30dad0d513658347a4e8f9e1fae18b0657e77e088f221119501942376b1509002adef612b970fa66a3035446b26c05492b9

Download Submit
C:\$Windows.~WS\Sources\Panther\DlTel-Merge.etl

Filesize
192KB

MD5
43d5fec08d81769a64ea2a9378bd393e

SHA1
ba9d08545d8eb2fcd2cfdb75bd5db627e43206dc

SHA256
8979864b77ba361c336f7e3b3147f59d2da3ccbff9477481862836c8574609d1

SHA512
0d0630eb68d9effd7a0dd9cf56b5c96436f9ee3c0369a2f9f765b7e883fbc1eab224702d895a95f2e016c7775f198e25b373a4e8a8cea20c4ab50f2a347812dc

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.0MB

MD5
3b255263a6404c3461b29b30cfaba889

SHA1
cef6b73fc35aa93b2f387b836a9f98110a6a9c29

SHA256
ebc54cb6f910522483096d9f3251a16846d0f0565c71ad3a01ccf005509ca42e

SHA512
530248e5b565ea7fc86969f29f1c42f4ba5f3ace1cf4f467a2a880b30ba10861a9d42884fd38244b1695a7c919e7926fd3ba6c2cde44d2785eaf4192593c9f26

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
668KB

MD5
896262217f9c2bf8d84cb1f85b132dc7

SHA1
1ff96ac9218f2c5146231675ce4347b19c44967d

SHA256
ee16acc24dbff8344e7d04993f4af708e37bcb536634ed7578a427b14126e444

SHA512
bf2251ffede979c230f7e04976c5dc7ddec4145d186eaac674b68b2b81c6d34dcad93f93bf5f33469047d533190c6c108375f0199a75699eaf50141948471dd1

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
684KB

MD5
f2ecf8f9ebc5dcc899789addbf46c2d8

SHA1
cfecc9f32ab370873962e05199af0712da0268a1

SHA256
ff36ae66f65d240a07b228cbbf1b15f7894fdef7449f55a141d839d9c4e31b04

SHA512
c000604d567197399d1ef901d4515cd38f8c034124055c4990148d807720e179b700b8a3c4cadc4d3d4f1b23598bdd6e23c7ae19f90431260c575aa292204152

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
6.6MB

MD5
7777f3783a8a3d5597b396528912f593

SHA1
ead27bc84e765b9f85bf73b75f284daf692a3c72

SHA256
ea4a65f82a3178eabc360a9f2d883f07712a4f4dc41f4508d95aaff94395d1e1

SHA512
574b5d0cb1eb47cbda2f72442b2c9b5a1cc5251f9a5b46c60fbd4a6e884694167fc22f62af4009773701ebf9f14259b1fca0f3ca87fe5e3ea664f531f1baad45

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
192KB

MD5
0a9aaf7371d042e11b12ce6967f0a31c

SHA1
04bfb794739c32407f4b6b8f01179290a721e84d

SHA256
850e0fc4b6593d54d18d09ae18bc0be2c9c12689235419b9c93f69c30002bf7a

SHA512
ee36d18090a2f176c4b55dd5c46518925c9db9f61d6c46e2695c6231dbbac19333d2e8e387de1e7980b485328928f21ab6b86a1a78650eb3eac2ef8afdc33495

Download Submit
C:\$Windows.~WS\Sources\WINDLP.DLL

Filesize
1.1MB

MD5
433951156abbaf3c6bfa8306600f3fce

SHA1
a751197a22ba0cfd734c31d27d62d0a80036eb3c

SHA256
2155beeeeaad08f5590d228a8f4b111b5364bfd98fbdf6d158e8b88d5457f45b

SHA512
16bbe17fef11bf158972d765106a903cd7651de489db70e59caade0c1d113b564f9a0bbd3281e6f78d4778f1aefea96d1d44e2f94335e9304f1389e368479744

Download Submit
C:\$Windows.~WS\Sources\diagtrack.dll

Filesize
901KB

MD5
6c3f6a6bc5ede978e9dfe1acce386339

SHA1
3b7b51d762c593e92123f9365a896ed64ee26a7a

SHA256
b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c

SHA512
3f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff

Download Submit
C:\$Windows.~WS\Sources\setupplatform.cfg

Filesize
7KB

MD5
213ecd9fde3824223a98f9d9734a7be3

SHA1
a0a1d1b96df2e28478a9502edf4885bf33aeb9ff

SHA256
0751fb2eb6442f207d3884a1919ca1d5f34c4323df541aed519e1c8df6dd4e4f

SHA512
da14b2649f8f8acdc14c5a291cfdedc9fa3b48d1bff5ffa12875453358a2bd80a647ceb1254abb71435039af80bc9748fbadcf811c7885ae361d47b2fc2091ca

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
813KB

MD5
728188d9f30cdcf13cd49c1407d0f23c

SHA1
78e3e9f6e8f1fdba01bb4c1102685d701872e980

SHA256
80626be8444a6b23636c47c69b87e2a7cd4d0eac870b6f529634088c670bbd3f

SHA512
fe4fefd4f8b75c967ae0a6faf9c6d2a9c5d137aaafa1928760ac5b81d8240ea87a81c33a6863f870fd63a66ffbd89bb5335dc4ccc9376778e2b51414078d921e

Download Submit
C:\$Windows.~WS\Sources\wdsutil.dll

Filesize
229KB

MD5
37c7684e98c130d7646a57b12661df7e

SHA1
77d206cd690f5f8c2869354be24933257ad8fd43

SHA256
ca6e40d91d0763290e2167ae9bf240e429690c14cdcc2d8ead7ab81c4c501a63

SHA512
d40b34acc761a22198f1a0b53a48f9180d3328d927eed84d85ebade25281c66891dcf09315b5caad900fe25b080e5227b804cc50d80046bf1fbcf6d32b4fa09f

Download Submit
C:\$Windows.~WS\Sources\wpx.dll

Filesize
1.0MB

MD5
49419d100aff2cf1853d2f21e6bb5645

SHA1
b94eb1a02faea19cc5c6bab921cb4e4f064f3915

SHA256
49b7799f7ae13160d3055a10161aacbbb94646d0df287d4b274a16904a6773a7

SHA512
6d21a75fb10f153b25c63d4a5b1c31c5c5314351d3732dd36414328c8b2d8fda3f4c31f4b3c5e312cac8b4fc047f304ea980b44678c621434f76432a7219a575

Download Submit