vidar | 0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-09-2024 14:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.1MB
MD5

12860c8f39570ea1a7256b7ed9dabccf
SHA1

b57be17b3b1797c933c3187829f6e24cf0fd9b83
SHA256

0213e39792ac0c5b66491f90c4b0fc4afdd84f40944922cab8a3bcdb1cf88cfc
SHA512

5945c0a71c12422d964b892944e234f6a04d7d30cc730dd4aa4c6607bd73232dad48d29c12256ed41d6dc2d9d19a7e55afc783ea5f6b88ca8168e962fc55074d
SSDEEP

24576:i9X3iqR+jmjhtHquFUn8dCHELjS6PhZsNrelZ5dwSzhR:itsmfVin8QWS6vUeD5dwCR

Score

10^/10

vidar 23278afe687d1f8637a185abd507382b credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

23278afe687d1f8637a185abd507382b

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 11 IoCs

stealer

resource	yara_rule
behavioral1/memory/2876-34-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-35-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-36-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-177-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-196-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-225-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-244-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-375-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-394-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-455-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7
behavioral1/memory/2876-474-0x0000000003AB0000-0x0000000003D25000-memory.dmp	family_vidar_v7

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
2876	Opponent.pif

Loads dropped DLL 3 IoCs

pid	Process
2468	cmd.exe
2876	Opponent.pif
2876	Opponent.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1164	tasklist.exe
2744	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\RepresentationsFootball	file.exe
File opened for modification	C:\Windows\CoverRestrictions	file.exe
File opened for modification	C:\Windows\CrowdNamespace	file.exe
File opened for modification	C:\Windows\ComingAngels	file.exe
File opened for modification	C:\Windows\FearsDental	file.exe
File opened for modification	C:\Windows\CestPublicity	file.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Opponent.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Opponent.pif
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Opponent.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1280	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Opponent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Opponent.pif
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Opponent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Opponent.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Opponent.pif

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1164	tasklist.exe
Token: SeDebugPrivilege	2744	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2876	Opponent.pif
2876	Opponent.pif
2876	Opponent.pif

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2468	1128	file.exe	31
PID 1128 wrote to memory of 2468	1128	file.exe	31
PID 1128 wrote to memory of 2468	1128	file.exe	31
PID 1128 wrote to memory of 2468	1128	file.exe	31
PID 2468 wrote to memory of 1164	2468	cmd.exe	33
PID 2468 wrote to memory of 1164	2468	cmd.exe	33
PID 2468 wrote to memory of 1164	2468	cmd.exe	33
PID 2468 wrote to memory of 1164	2468	cmd.exe	33
PID 2468 wrote to memory of 2712	2468	cmd.exe	34
PID 2468 wrote to memory of 2712	2468	cmd.exe	34
PID 2468 wrote to memory of 2712	2468	cmd.exe	34
PID 2468 wrote to memory of 2712	2468	cmd.exe	34
PID 2468 wrote to memory of 2744	2468	cmd.exe	36
PID 2468 wrote to memory of 2744	2468	cmd.exe	36
PID 2468 wrote to memory of 2744	2468	cmd.exe	36
PID 2468 wrote to memory of 2744	2468	cmd.exe	36
PID 2468 wrote to memory of 2748	2468	cmd.exe	37
PID 2468 wrote to memory of 2748	2468	cmd.exe	37
PID 2468 wrote to memory of 2748	2468	cmd.exe	37
PID 2468 wrote to memory of 2748	2468	cmd.exe	37
PID 2468 wrote to memory of 2684	2468	cmd.exe	38
PID 2468 wrote to memory of 2684	2468	cmd.exe	38
PID 2468 wrote to memory of 2684	2468	cmd.exe	38
PID 2468 wrote to memory of 2684	2468	cmd.exe	38
PID 2468 wrote to memory of 2660	2468	cmd.exe	39
PID 2468 wrote to memory of 2660	2468	cmd.exe	39
PID 2468 wrote to memory of 2660	2468	cmd.exe	39
PID 2468 wrote to memory of 2660	2468	cmd.exe	39
PID 2468 wrote to memory of 2820	2468	cmd.exe	40
PID 2468 wrote to memory of 2820	2468	cmd.exe	40
PID 2468 wrote to memory of 2820	2468	cmd.exe	40
PID 2468 wrote to memory of 2820	2468	cmd.exe	40
PID 2468 wrote to memory of 2876	2468	cmd.exe	41
PID 2468 wrote to memory of 2876	2468	cmd.exe	41
PID 2468 wrote to memory of 2876	2468	cmd.exe	41
PID 2468 wrote to memory of 2876	2468	cmd.exe	41
PID 2468 wrote to memory of 596	2468	cmd.exe	42
PID 2468 wrote to memory of 596	2468	cmd.exe	42
PID 2468 wrote to memory of 596	2468	cmd.exe	42
PID 2468 wrote to memory of 596	2468	cmd.exe	42
PID 2876 wrote to memory of 3048	2876	Opponent.pif	44
PID 2876 wrote to memory of 3048	2876	Opponent.pif	44
PID 2876 wrote to memory of 3048	2876	Opponent.pif	44
PID 2876 wrote to memory of 3048	2876	Opponent.pif	44
PID 3048 wrote to memory of 1280	3048	cmd.exe	46
PID 3048 wrote to memory of 1280	3048	cmd.exe	46
PID 3048 wrote to memory of 1280	3048	cmd.exe	46
PID 3048 wrote to memory of 1280	3048	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Ceo Ceo.bat & Ceo.bat
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1164
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2744
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 212475
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "FACEDRESULTSSESSIONSIMPLIFIED" Activation
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Sp + ..\Encyclopedia + ..\Klein + ..\Sequences + ..\Telephony + ..\Resolution + ..\Ecology + ..\Avoid j
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif
    Opponent.pif j
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif" & rd /s /q "C:\ProgramData\BGCAAFHIEBKJ" & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1280
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\212475\Opponent.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
C:\Users\Admin\AppData\Local\Temp\212475\j

Filesize
552KB

MD5
1ef109a71c3995dd5badf0f4a539d4a9

SHA1
06557f5d76fab502f8058669fcfa92fc87cbed82

SHA256
bade49216519e8d82c45664e46b6255feaf866a848ed3b1df5ada342ed195712

SHA512
0e0926ad6d3527d2012c627c4cebbabb60f3d0ab970050f0115c535c1ae0785b54dc0d617905313213dadf9c94262b68779b044cffc34de222fe640bf6be87c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Activation

Filesize
7KB

MD5
8b0e5b5564040244b7fe987f12c957e7

SHA1
ea193a80e11c4608a9c72d9bb63022688e470862

SHA256
e3f4fbcfa7a3d8e44e82a4b28a38724eb86b46f5599be2a0f1fb9880d0a1eb47

SHA512
7b3328773c503992cb39c6e00583a6452dae33041f22f2964b028914783b28cc15cd87308cc385580dd1ea4c9f5a08258d7d8b6d37de6024133fcc0863ff20c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Avoid

Filesize
5KB

MD5
f14eaeb195d643f4fc9971f78b828491

SHA1
d918494734a26061b7eef0bf8dbbdc3c7bca70bf

SHA256
02f710cb82f8d38f9e99e1be712d9c70552f6175f024e4a035c56a630b3ff066

SHA512
fcb11f07118529e32d44653a6280b1a6fb95daf66025036766a247636e46049300be82c1d0441535ab043b22ec997fde0d04fea4983e671d5ee9862e8d068e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3507.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ceo

Filesize
9KB

MD5
81a3e6cbd7092474a997336697873d61

SHA1
c3332238a09567de8acb1f938f960ffd81e13215

SHA256
695e778b876ea0312ad0014ea3ec8940139aa0033e4ec5e6e6da9c836fbc7086

SHA512
812cdf35a082a22a0b3157dd285fd1daa5a3f3ffe48aa79aed92f3fe62108a1bc646380ff60ebdd92600f78b58df59fe74c8956e2d6c5efafd715e092b1e989e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ecology

Filesize
62KB

MD5
6ae59a460e37c2486894b1ca8fa2dd87

SHA1
1954f743f6cf5953ff2ebdf0d51204a3e23bd6ec

SHA256
903f19bbcbc63f39726365060e05841b1f85746f78d7a0ae51392a824a97a7bb

SHA512
2c62e9551317d5a8d0e543a5ec760e8d6c7bdf89fc2262b9e21f5ba1b56c00d669b47b281857c2d0a4747f64abb4dc1cfdff1ac7e36cc646432f0c32f708b19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encyclopedia

Filesize
99KB

MD5
10131cf263fe9e86e86fe75276d0a918

SHA1
7dc521b107deaba391232335161fc5c5c2e69ccd

SHA256
94715e887f132abf53cdc3d33022aa22063e1887f56a38a27e48aa21364d195a

SHA512
b87613833fbc0fc1bc3a45266a0240aa7bf121771754f57baef839eb4279c5cf944a62163dda4ff5869ded4dfc939d1119a6552074b51cab5de345660b99c037

Download Submit
C:\Users\Admin\AppData\Local\Temp\Klein

Filesize
96KB

MD5
726700550ac2d42e80a6d3a7405b8c22

SHA1
7d4f9b127505d70c675882485545503d18b4c9b9

SHA256
b92acf55b4f00ae18fb10765fd1bd0115529d0e492b1bf163f7a5ab2e0d367bc

SHA512
2ac52f2c7a186ae3856ef5620f9976504981712622ceb5c07ac128b1fbc02dad056f1296fd512acf4e71262ac2869f6a13e8b7a448f002f6c5031648ed6e8a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resolution

Filesize
63KB

MD5
b110bbafcf6cfb0a8ae2f122ddf20ede

SHA1
a62d46e158a5ac193b6d2631510e67c35d448a15

SHA256
b0fd86c3a4b267d8706d7ae36b4a19eddb8fdb81fcb363c18174be45e64d9cc7

SHA512
3327f6f5fe655f0693694e8ce58e2e4d6e1fedd3f1f93203b359aec3dcc3478757bf1ed178721e519938af73b13d6c380aca6e90a59df60eaabff103e0455459

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rings

Filesize
865KB

MD5
25055baf9907ffe607bd6cfc3f6d30ff

SHA1
3c77f48211fb315980d89ecafab8a74c5025aaa6

SHA256
e4a175bd91a15df2f47e2e65c2ad7ab8cd350425c8dafb072e479c1a4d6c4be8

SHA512
926d4a1af7a71ceb9b0752cadd17831059917db7bcf2d67c82e6b2b3b034f2d50219c5351bc4a5bcf610386778b24257c68797bf581a7c57e695a1607a68974e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sequences

Filesize
52KB

MD5
42d99c39171ea35a6ecf889749965fd4

SHA1
1021a1ad9ecf4549d71b83cb0ee7bacc4469517d

SHA256
fdcfb94acca7a22919f6e2cb66e7290a336bdddb87525dc15f84e9ccfc048feb

SHA512
ede4aef51c613348b9c7310a844ee1135b4c7bb6794a4026ed02ad29d476502bd7682e650aba5af15637a466ffdf781768d29e9bd544e56587e09858bc94d15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sp

Filesize
79KB

MD5
b217e014693974adfe42c627953b8263

SHA1
4f2b8d085c5f0b9e80ee650d7016f4f423570989

SHA256
4a22f73997cba0fe3b1ecf506bef6f26ca0a84d964a5450396854502f6983fb5

SHA512
25e1726ee322adb04f7f3adc911525ff88632d48d9fb516a3047747e45346f02a463761ec8abb2da2a6696aebc29e48efe69d0e08e07d02db35f02a195ee79f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3539.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Telephony

Filesize
96KB

MD5
3405b6274e73d544802fffdcd585b905

SHA1
1d03437ae18c199cc66cab1b716031952e096068

SHA256
3f15bffc2b8590d4e959cebd7c30ecc4fedcbb0907f0f7860b5bef19433aaf40

SHA512
aaa25bb57ad965044a8c188bfb3aca20b1ee8986c823c672f7dd36eaac31a32b0036beb9ea64fa13b8dbeeb5960c583c51d1f4f75ed662de34bcf1ceea5a561d

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/2876-34-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-36-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-35-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-32-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-177-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-196-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-215-0x000000000DC10000-0x000000000DE6F000-memory.dmp

Filesize
2.4MB

Download
memory/2876-225-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-244-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-33-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-375-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-31-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-394-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-455-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download
memory/2876-474-0x0000000003AB0000-0x0000000003D25000-memory.dmp

Filesize
2.5MB

Download