vidar | 767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 18:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Size

9.6MB
MD5

25c9285c00ef7d41b28823a053a9a372
SHA1

fac6862d703a7d80418012ce1d5d7d9aecbb28b8
SHA256

767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b
SHA512

071e4c1d7f1ec87ae3ec83f266f8a69f357111e642056ada44f97d8619a22f9873cc793b0f7d6a560c1b163b64150a06182785222512f7f5ec19ea1aac461a8c
SSDEEP

196608:x2eDMIIKEW+sisSMo/dlv1DL6D+ZwN5uW/GVTVH9HoxCZWdz2s71:hIKRbib71DJ2NITVFoYZWdhB

Score

10^/10

vidar discovery stealer

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	SetupHost.Exe

Executes dropped EXE 1 IoCs

pid	Process
1828	SetupHost.Exe

Loads dropped DLL 11 IoCs

pid	Process
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe
1828	SetupHost.Exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\MoSetup\BlueBox.log	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupHost.Exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeBackupPrivilege	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Token: SeRestorePrivilege	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Token: SeBackupPrivilege	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Token: SeRestorePrivilege	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Token: SeSecurityPrivilege	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
Token: SeBackupPrivilege	1828	SetupHost.Exe
Token: SeRestorePrivilege	1828	SetupHost.Exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1828	SetupHost.Exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 1828	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe	87
PID 860 wrote to memory of 1828	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe	87
PID 860 wrote to memory of 1828	860	767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe	87

C:\Users\Admin\AppData\Local\Temp\767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe
"C:\Users\Admin\AppData\Local\Temp\767e70c43673063a16d76e494ffcdfa0f5a85c53344a0dc505f161cccf2f5b1b.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\$Windows.~WS\Sources\SetupHost.Exe
  "C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1828

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll

Filesize
2.8MB

MD5
7d4fe1129669f50f96aa8c499885a0c5

SHA1
5cf04d7b3bf36c631185b2cb595d04fb83edd06e

SHA256
f9a97e62011d8130cc2a2285bacbad57b64c08851b8c88d70dd24377943b76a1

SHA512
6853b2fcf2db5ee7411d7bc24a793f1b17ed9ccbf2a550f0352cf7c8b290840657a30a43f24cfcb42e42792e1b1466092ce54d9368ae79d5851a211a14cc2c8d

Download Submit
C:\$Windows.~WS\Sources\ServicingCommon.dll

Filesize
781KB

MD5
62b2a429451a7d4ccd915294906ecbb6

SHA1
65092dce10872d19048686669661e8d13bade68a

SHA256
33e582216f01c25b9599cf320a8c4f562978f2f84f43bb1918b0bd2fbc004e6b

SHA512
29a44db78e466f1259213ebd6d06aedb297e757738dd125436ca2b76694ffae824c0c031540ee3af2bc040bd48b1c94238991594321a28a139a5a6ce990cdbf9

Download Submit
C:\$Windows.~WS\Sources\SetupCore.dll

Filesize
2.2MB

MD5
2837188dea00e4117b628cadc00e8af4

SHA1
6a19d8ef8776433400f040140f0a003e03a6e81a

SHA256
4ad921496d876a5049171461fe7479e6a336ff370838cdcefe81d1711b8b057f

SHA512
6c683f29d4b6431ea923c09a345c0b2576400a057c798dae25732b07225f7627a950d32e94ddd1374169d8a3e2b4df66875e31cd1a7f69a4ccf0a53c8bc8d85a

Download Submit
C:\$Windows.~WS\Sources\SetupHost.exe

Filesize
664KB

MD5
ed6da1611d817426e4b7de89fe458f76

SHA1
0c6f5672e2682e4d4a62f1275f39009ce0fa2801

SHA256
0cbab77ca7138dfe69e8a743156ff707c6d286acb2bce2dc544edf9d257bebfe

SHA512
c007aab0199efb04bba9f16ea82f2ba5a4c483f32099ba07329800ee496705886f3da2f61530f0de7b61a6bc555b743b42b62ea9c7093a481fd803f213e4e5a3

Download Submit
C:\$Windows.~WS\Sources\SetupMgr.dll

Filesize
810KB

MD5
b2f1226f8a7efb3eb908754b8aaf1273

SHA1
652d2726d4d8728a7832b178e6c01236b8538ac6

SHA256
8a954efe3f2e080b4783955d8bcf6b435ae6e0f9154d3de19318df42a984c152

SHA512
261138812761af8c8e37e6d8df40b1640137d1d623bf70096fbf0074f5b43515aecd303b714fd448c71be8594dc14c37502ea240ed726e2737da3c6a65257804

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.cfg

Filesize
16KB

MD5
c969198d5ca5d14a5a0938942eadaefe

SHA1
813c6bfc511b10f1c2e3a970ba8aab43dfc7b7bc

SHA256
731074381d0449c3102e235620022d5e34dde373840ea414b3a9e02dc404af5b

SHA512
a77c9a38014687d4745e14963f37eacc3f1244af0810c4226a3a5fd0bd6d9fb0be806977163000aa076b21a62a5c3948c3f3b3787e23ff8c20fb2b4a1cedff35

Download Submit
C:\$Windows.~WS\Sources\SetupPlatform.dll

Filesize
6.7MB

MD5
0fbb2e2e050eaa40751999574422d5d9

SHA1
12ca912782727e54113f441f58452dcba8c22666

SHA256
d435099bd0deac8e59185b150e1a8912a6fecbb76ca24b1106a765046888ae21

SHA512
f033b28a929fb9bb480888ace17771617d75189e4fbf6cfbcb813ca1b5a4d06d6977e0c582045c54499956c708cdd77d2c87b5aaf955b37e1b3bfaef13844c77

Download Submit
C:\$Windows.~WS\Sources\WDSCORE.dll

Filesize
199KB

MD5
adb1b2158714fcaacb86cf726f05626f

SHA1
d92e950625fd60f5a3ef47b0a348044ff92cd312

SHA256
7cca29a7de3b73522dd0e46a1a3e7bc7a13433ee7dbd5f8d006651eaeeb9e1f0

SHA512
a4fa45a0d782e89fa2c37167f0f7d11a8480b0d228a0dd0e78f93d9d05048e22166d8fa90a1b17715613a221f1f9ba26bb5839146cb7b0115928195c8e661afc

Download Submit
C:\$Windows.~WS\Sources\WINDLP.DLL

Filesize
1.2MB

MD5
55941ed1d0b679b0f92eaa81c677f3dc

SHA1
3be5aa07e4048b4afc1b8ecbac334b24b454d065

SHA256
d6497348e80b5849a595d7785a5972e0ccafafe0058a3142579f9a4f786d96ba

SHA512
e6a93f84b6d1b043e479bc3e0d771f34621ddb789b0155224b4e1a94cab65c3b88b1b2e5544f3acb58052cccf5820599fdb6085cb5fb02653468c1b591129724

Download Submit
C:\$Windows.~WS\Sources\unbcl.dll

Filesize
804KB

MD5
90065cb75d2e73a77e3654d7642c885d

SHA1
85b2a855300aeeb4ee85557588191e369160ec21

SHA256
1b31af6db22d63ab8af2478c3e119fb1633f685d09ec3febcdb6f3c9ad409ae7

SHA512
2d84cfc41a27229bc50586b9777cfa0150ad29e391c60bf9c72e3efbe4f8da6ec3d3c4320ea494a0ecca2b225cabcfd34319031e44d73dd2f75323b57d629c59

Download Submit