Overview

overview

10

Static

static

3

0xds.exe

windows7-x64

10

0xds.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 04:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0xds.exe

  • Size

    11.4MB

  • MD5

    bdb7e2090cd4cb5e75d7701b51769f40

  • SHA1

    accaafb67f13135bdb27b43641f4151360d6c89c

  • SHA256

    2ddc5ba89d79c752e61e07956f00419dbcee56f34589ca62628dc87d30343860

  • SHA512

    06a33313ef1ede5a3082968f7ff29d31a90bb5c1570571b6fca4580b277ea7fad6c068403068d282c4e8fa9bad5811c5d4d3cef5075cf983143521cea3bcff3f

  • SSDEEP

    196608:TvGacofn0NPExHJwtbq70rkOdc8nK1lK3XUU+7ZlMjn7og871zmvQIvQyMIoVGHc:Tveof0N8UJqGkgEFkog87MhvN0GHc

Score
10/10
vidarcredential_accessdiscoveryspywarestealer

Malware Config

Extracted

Family

vidar

C2

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681
Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Signatures

  • Detect Vidar Stealer 3 IoCs
    stealer
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 11 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 13 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 23 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\0xds.exe
    "C:\Users\Admin\AppData\Local\Temp\0xds.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0xds.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1725442918 "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:3288
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4356
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AACCBCBADC3F01AA8315FAF0A8366720 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1132
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:872
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 4BAE56CD75657B85FB3816D86D04B504
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4828
      • C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe
        "C:\Users\Admin\AppData\Roaming\WindowsActiveServices\Patch.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2872
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBpAG4AZABvAHcAcwBBAGMAdABpAHYAZQBTAGUAcgB2AGkAYwBlAHMAXABQAGEAdABjAGgALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAFAAYQB0AGMAaAAuAGUAeABlADsA
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3816
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          3⤵
            PID:5108
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            3⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2716
            • C:\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe
              "C:\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe"
              4⤵
              • Checks computer location settings
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2784
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\BGDAKEHIIDGD" & exit
                5⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1080
                • C:\Windows\SysWOW64\timeout.exe
                  timeout /t 10
                  6⤵
                  • System Location Discovery: System Language Discovery
                  • Delays execution with timeout.exe
                  PID:4076
        • C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe
          "C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Users\Admin\AppData\Local\Temp\is-G7P7F.tmp\fcproinstall.tmp
            "C:\Users\Admin\AppData\Local\Temp\is-G7P7F.tmp\fcproinstall.tmp" /SL5="$C0060,8669330,121344,C:\Program Files (x86)\fcproinstall\fcproinstall\fcproinstall.exe"
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:3792
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3652

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Config.Msi\e57e5bf.rbs
        Filesize

        9KB

        MD5

        5f86339d4d4eaaf25fd1ac34a5fa6225

        SHA1

        51127820034266eed8323c63c50667e8927dd235

        SHA256

        348b34bdfdeed2179462fa22c4eb9c25cc4017eb792cde39dee194d053c8ed41

        SHA512

        d743bafb33536fc1958ff93514dfcdec6d24871d06a01d719bd51477ab52e82493763bb71615d8249313d12b08f2b8ec1db27fa93814f0763b4fd0070641a5b7

        Download Submit

      • C:\ProgramData\mozglue.dll
        Filesize

        593KB

        MD5

        c8fd9be83bc728cc04beffafc2907fe9

        SHA1

        95ab9f701e0024cedfbd312bcfe4e726744c4f2e

        SHA256

        ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

        SHA512

        fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

        Download Submit

      • C:\ProgramData\nss3.dll
        Filesize

        2.0MB

        MD5

        1cc453cdf74f31e4d913ff9c10acdde2

        SHA1

        6e85eae544d6e965f15fa5c39700fa7202f3aafe

        SHA256

        ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

        SHA512

        dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\MSIB46C.tmp
        Filesize

        378KB

        MD5

        0981d5c068a9c33f4e8110f81ffbb92e

        SHA1

        badb871adf6f24aba6923b9b21b211cea2aeca77

        SHA256

        b3f5e10fb1b7352a6dbbcbb10ed605a8fda24f3f9c31f954835bd5a41eb6ea68

        SHA512

        59cccdcde1964e61fa63078fde776eee91c462d7d3db308ada02e27e6ce584c41ad1f7970642e02ce331d805215a2cc868fb0512c01accfa70cda52e9329e1d8

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4wt1ey2t.asb.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-G7P7F.tmp\fcproinstall.tmp
        Filesize

        1.1MB

        MD5

        34acc2bdb45a9c436181426828c4cb49

        SHA1

        5adaa1ac822e6128b8d4b59a54d19901880452ae

        SHA256

        9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

        SHA512

        134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

        Download Submit

      • C:\Users\Admin\AppData\Roaming\WindowsNetworkServices\WindowsNetwork.exe
        Filesize

        264KB

        MD5

        c46cf092ca90dec5d9794d58bc3d60af

        SHA1

        ee85693b181df0518ec1404831d0d0b05c97fdaf

        SHA256

        e708ccdb34685d4df6d7a8959f2dc98d28f1a5bbf89120ff595613a1df7ab2d7

        SHA512

        acbd3ab6958eb2b78cb0884ffba5bed24249421c1db1c2093e42f69a80bffdaaaedb785b726e742a1dfbc16499724ca3f56e6027dbbace840a5eb7f8f9d68af0

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\AppDataFolder\WindowsActiveServices\Patch.exe
        Filesize

        439KB

        MD5

        5c71d85721484031e2caf286c1ed856d

        SHA1

        f856bd5367298b716eb883e727ec45fef3db7ef0

        SHA256

        5ea46f738d4a28b69243bf2b3bf57fd15a261d96348025d4ce17d860f19644c8

        SHA512

        eb77901879169410f1bfe6981c23312f0cd07be4aa8deaa24c20f374a833b7d29d99432e6c7ee8b44c219ce0758a5cd6a26c6f266b85c5e78f3f995c4cf4a378

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.exe
        Filesize

        8.6MB

        MD5

        1c2b96c284a4b3e7b7d2f9fa438fa26f

        SHA1

        2bc4b6936a8a22fba48fcde053932e5ea73e9837

        SHA256

        6115d9356d8421d392f5eaa1516d7618e8c681036956ccc7132a76eca493c74c

        SHA512

        ad36e73ae4a820b67d787d0c1800536e5b3e167974385fb10f8788c8b891963003d563ee4db8e6897deb2103a4d8d7946a2d2628fbb5aebf80987729d1eae7e8

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\A6A4D74\fcproinstall.msi
        Filesize

        1.1MB

        MD5

        b2f3126e0396807fa21245851545ca4b

        SHA1

        5d384f46b3021240094ecfc03fa41032fc86e7c7

        SHA256

        e5ff1a0434f1de5a65108b1ab5e29c93bd9513c63ea33911c7fc04884ccd00d1

        SHA512

        9e0d448dd5585e41c5c13711841de2bd5771b724be465ad6ae38d2a5b76e2f7c3e28fa6ae17a469fff22582f497b570d9394ff101a3c6b24bb3ae12de55c4c74

        Download Submit

      • C:\Users\Admin\AppData\Roaming\fcproinstall\fcproinstall 1.0.0\install\decoder.dll
        Filesize

        202KB

        MD5

        2ca6d4ed5dd15fb7934c87e857f5ebfc

        SHA1

        383a55cc0ab890f41b71ca67e070ac7c903adeb6

        SHA256

        39412aacdcddc4b2b3cfeb126456edb125ce8cadb131ca5c23c031db4431c5fc

        SHA512

        ce11aa5bd7b0da4baf07146e8377ff0331c1d4b04aaa4408373b4dd0fe2c3f82c84b179d9a90d26cdaa02180f22276d96cf491f9ede66f5f1da6f43cc72e5ac4

        Download Submit

      • C:\Windows\Installer\MSIE708.tmp
        Filesize

        567KB

        MD5

        5f1b243813a203c66ba735139d8ce0c7

        SHA1

        c60a57668d348a61e4e2f12115afb9f9024162ba

        SHA256

        52d5b228221cd5276e4ee2a038e0ce0cf494d5af9c23ac45dcbfadc3115c8cb2

        SHA512

        083c6d1af44847db4b6fb90349234128141a838d1d438d5c24f5063539a8087f0814d06cfa162aeace20e162292f64c7635b4a0e81b2ca972706cfbc484adfb5

        Download Submit

      • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
        Filesize

        23.7MB

        MD5

        654a9589c7dd9c2809d36c8070245f76

        SHA1

        ff2117434ea920638959709ea49dfc05bdabc0a1

        SHA256

        662c182012a04e023d121316b3a2a620e7ecd25a535c9dfa651ff5dc9a536d6a

        SHA512

        1f3c38a54b6354656f17d2f45ac0757ca3ab3097b71d5892b3d5ef868134c29932594c0b5aaf737895ee60bf083cde77c2107292e321965bbcf57fe17419bccf

        Download Submit

      • \??\Volume{8484aac9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2066cf4e-a3af-4c81-8694-a1547a805f36}_OnDiskSnapshotProp
        Filesize

        6KB

        MD5

        56222238fc522ed1269f4fed530ca4e0

        SHA1

        051659db8aaee8c7d89d43f5ff9678c76aa44a7b

        SHA256

        25b0364171dab01fa412a907821aa44d83859da3de29ad504f687aad337de72c

        SHA512

        07ca8e1b6b81315e275cda4195326a34414595f5073c72b29cd8aa507f4c8a9c4fb8e0acd9bdb6d67b60d1b408d8c938c9e238309db4c8a6f649381574f861b5

        Download Submit

      • memory/2716-77-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2716-84-0x0000000005470000-0x000000000550C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2784-171-0x0000000000F80000-0x00000000011D7000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2784-183-0x0000000022A60000-0x0000000022CBF000-memory.dmp

        Filesize

        2.4MB

        Download

      • memory/2784-316-0x0000000000F80000-0x00000000011D7000-memory.dmp

        Filesize

        2.3MB

        Download

      • memory/2872-69-0x0000000005910000-0x0000000005EB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2872-76-0x0000000005890000-0x00000000058F6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2872-75-0x0000000005690000-0x00000000056DC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2872-74-0x0000000005660000-0x000000000568C000-memory.dmp

        Filesize

        176KB

        Download

      • memory/2872-73-0x0000000005520000-0x000000000554E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2872-72-0x00000000053B0000-0x00000000053F6000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2872-71-0x0000000005380000-0x000000000538A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2872-70-0x0000000005400000-0x0000000005492000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2872-68-0x0000000000900000-0x0000000000974000-memory.dmp

        Filesize

        464KB

        Download

      • memory/3792-143-0x0000000000400000-0x000000000052E000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/3816-103-0x00000000063A0000-0x00000000066F4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3816-137-0x0000000007E70000-0x0000000007E78000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3816-128-0x0000000007A20000-0x0000000007AC3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/3816-130-0x0000000007B50000-0x0000000007B6A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3816-129-0x0000000008190000-0x000000000880A000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/3816-131-0x0000000007BC0000-0x0000000007BCA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3816-132-0x0000000007DD0000-0x0000000007E66000-memory.dmp

        Filesize

        600KB

        Download

      • memory/3816-133-0x0000000007D50000-0x0000000007D61000-memory.dmp

        Filesize

        68KB

        Download

      • memory/3816-134-0x0000000007D90000-0x0000000007D9E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3816-135-0x0000000007DA0000-0x0000000007DB4000-memory.dmp

        Filesize

        80KB

        Download

      • memory/3816-136-0x0000000007E90000-0x0000000007EAA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/3816-116-0x0000000006E00000-0x0000000006E32000-memory.dmp

        Filesize

        200KB

        Download

      • memory/3816-127-0x0000000006E40000-0x0000000006E5E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3816-117-0x000000006EDF0000-0x000000006EE3C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3816-79-0x0000000002EF0000-0x0000000002F26000-memory.dmp

        Filesize

        216KB

        Download

      • memory/3816-113-0x0000000006840000-0x000000000685E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3816-114-0x0000000006870000-0x00000000068BC000-memory.dmp

        Filesize

        304KB

        Download

      • memory/3816-80-0x00000000059F0000-0x0000000006018000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/3816-90-0x0000000005950000-0x0000000005972000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3816-91-0x0000000006120000-0x0000000006186000-memory.dmp

        Filesize

        408KB

        Download

      • memory/5088-104-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download

      • memory/5088-142-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

        Download