Overview

overview

10

Static

static

3

patch.exe

windows7-x64

10

patch.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 02:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    patch.exe

  • Size

    588KB

  • MD5

    2afbb4562f46e981beae497935002d3c

  • SHA1

    8ede8d5c5551a8b6237a3c04f77b6f374e7c3539

  • SHA256

    7b949ec5f73dff9e83d9c5e8995e025940f1ed6d3b07c27923d9321ca9a42ead

  • SHA512

    112cc4a88078bfbadc86fe9e193b09307fe076be20b2080af968c8aea2d91ba691fe418444ea22b6c7e49dab9db4bb6b121f40e1aabef4219a4d62ab6fccab54

  • SSDEEP

    12288:Fvly0YiZfGHMwK7aAbMH3150pYEqstB166O0qyFAGLHZD0a+:Fdy0YhM8CMLyYitBC0qyFNZT

Score
10/10
vidardiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\patch.exe
    "C:\Users\Admin\AppData\Local\Temp\patch.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2512
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2468
      • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
        "C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4168
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 2176
          4⤵
          • Program crash
          PID:4860
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 2104
        3⤵
        • Program crash
        PID:2504
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4168 -ip 4168
    1⤵
      PID:2680
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2468 -ip 2468
      1⤵
        PID:2272

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\WindowsServices\WindowsServices.exe
        Filesize

        264KB

        MD5

        c46cf092ca90dec5d9794d58bc3d60af

        SHA1

        ee85693b181df0518ec1404831d0d0b05c97fdaf

        SHA256

        e708ccdb34685d4df6d7a8959f2dc98d28f1a5bbf89120ff595613a1df7ab2d7

        SHA512

        acbd3ab6958eb2b78cb0884ffba5bed24249421c1db1c2093e42f69a80bffdaaaedb785b726e742a1dfbc16499724ca3f56e6027dbbace840a5eb7f8f9d68af0

        Download Submit

      • memory/2468-665-0x000000007472E000-0x000000007472F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2468-667-0x00000000050C0000-0x000000000515C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2468-666-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2468-668-0x0000000074720000-0x0000000074ED0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2468-695-0x0000000074720000-0x0000000074ED0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2468-692-0x0000000074720000-0x0000000074ED0000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2468-691-0x000000007472E000-0x000000007472F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2512-30-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-20-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-66-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-64-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-60-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-58-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-56-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-54-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-52-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-50-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-48-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-44-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-42-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-40-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-38-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-36-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-34-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-32-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-4-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-28-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-26-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-24-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-22-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-8-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-16-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-14-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-12-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-10-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-6-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-62-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-46-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-18-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-3-0x0000000002950000-0x00000000029DF000-memory.dmp

        Filesize

        572KB

        Download

      • memory/2512-655-0x0000000006400000-0x0000000006492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2512-657-0x0000000075160000-0x0000000075910000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2512-656-0x0000000006320000-0x0000000006342000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2512-658-0x0000000006490000-0x00000000067E4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2512-659-0x0000000037060000-0x00000000370C6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2512-660-0x00000000374F0000-0x0000000037582000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2512-661-0x0000000037B40000-0x00000000380E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2512-664-0x0000000075160000-0x0000000075910000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2512-0-0x000000007516E000-0x000000007516F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2512-2-0x0000000002950000-0x00000000029E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2512-1-0x0000000000670000-0x0000000000708000-memory.dmp

        Filesize

        608KB

        Download

      • memory/4168-694-0x0000000000D10000-0x0000000000F67000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/4168-676-0x0000000000D10000-0x0000000000F67000-memory.dmp

        Filesize

        2.3MB

        Download