vidar | 1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-09-2024 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe
Size

5.5MB
MD5

e0dfc852c37571b8468b2d17f573a12f
SHA1

38ec845f203450b7d6a51e9a441ab609b5ff1100
SHA256

1940797bbf48e2b4061f3d3b0809c6e6a5f66b35653c6384cca212eedf873541
SHA512

783c27474e39e99a4ab153f6d42f2b9808df2ebcd3b4299c0067ed9e21d635ba92505d21b96ccf512ca406a36ae9770ffce85e36842a9dac7a4ae87becdf35af
SSDEEP

98304:Uuc009atEN5lsTu7vAcJnIQEUmM1nGGqJe2OUxulDhTCGiYbFr54L6Bid09VGg5Q:Uuc39a45lr7vR9nEi1nGGqQMuLWnOoLH

Score

10^/10

vidar b699ecb1aa34580fba79282dae821438 defense_evasion discovery evasion execution persistence stealer

Malware Config

Extracted

Family

vidar

Version

8.7

Botnet

b699ecb1aa34580fba79282dae821438

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

profile_id_v2
b699ecb1aa34580fba79282dae821438
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000004e74-22.dat	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2868	powershell.exe
3012	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe
File created	C:\Windows\system32\drivers\etc\hosts	whrbuflqwhah.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RYVSUJUA\ImagePath = "C:\\ProgramData\\trmrjvadsnmf\\whrbuflqwhah.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2832	Miner.exe
2588	Stealer.exe
2108	whrbuflqwhah.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe
2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
2948	WerFault.exe
476	services.exe
476	services.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	whrbuflqwhah.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2832 set thread context of 2232	2832	Miner.exe	52
PID 2108 set thread context of 1692	2108	whrbuflqwhah.exe	80
PID 2108 set thread context of 2388	2108	whrbuflqwhah.exe	81
PID 2108 set thread context of 2760	2108	whrbuflqwhah.exe	82

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2888	sc.exe
1240	sc.exe
536	sc.exe
592	sc.exe
2128	sc.exe
2276	sc.exe
1672	sc.exe
1152	sc.exe
2496	sc.exe
2452	sc.exe
2100	sc.exe
2344	sc.exe
336	sc.exe
3008	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2948	2588	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stealer.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90cf36202d0ddb01	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Stealer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Stealer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2748	powershell.exe
2832	Miner.exe
2868	powershell.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2832	Miner.exe
2232	dialer.exe
2232	dialer.exe
2232	dialer.exe
2232	dialer.exe
2832	Miner.exe
2232	dialer.exe
2232	dialer.exe
2832	Miner.exe
2232	dialer.exe
2832	Miner.exe
2232	dialer.exe
2832	Miner.exe
2108	whrbuflqwhah.exe
2232	dialer.exe
2232	dialer.exe
3012	powershell.exe
2232	dialer.exe
2232	dialer.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
2232	dialer.exe
2232	dialer.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
2108	whrbuflqwhah.exe
1692	dialer.exe
1692	dialer.exe
2108	whrbuflqwhah.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe
1692	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2232	dialer.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1692	dialer.exe
Token: SeLockMemoryPrivilege	2760	dialer.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2748	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	30
PID 2172 wrote to memory of 2748	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	30
PID 2172 wrote to memory of 2748	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	30
PID 2172 wrote to memory of 2832	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	32
PID 2172 wrote to memory of 2832	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	32
PID 2172 wrote to memory of 2832	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	32
PID 2172 wrote to memory of 2588	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	33
PID 2172 wrote to memory of 2588	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	33
PID 2172 wrote to memory of 2588	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	33
PID 2172 wrote to memory of 2588	2172	SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe	33
PID 2588 wrote to memory of 2948	2588	Stealer.exe	36
PID 2588 wrote to memory of 2948	2588	Stealer.exe	36
PID 2588 wrote to memory of 2948	2588	Stealer.exe	36
PID 2588 wrote to memory of 2948	2588	Stealer.exe	36
PID 636 wrote to memory of 2324	636	cmd.exe	45
PID 636 wrote to memory of 2324	636	cmd.exe	45
PID 636 wrote to memory of 2324	636	cmd.exe	45
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2832 wrote to memory of 2232	2832	Miner.exe	52
PID 2232 wrote to memory of 432	2232	dialer.exe	5
PID 2232 wrote to memory of 476	2232	dialer.exe	6
PID 2232 wrote to memory of 492	2232	dialer.exe	7
PID 2232 wrote to memory of 500	2232	dialer.exe	8
PID 2232 wrote to memory of 596	2232	dialer.exe	9
PID 2232 wrote to memory of 680	2232	dialer.exe	10
PID 2232 wrote to memory of 744	2232	dialer.exe	11
PID 2232 wrote to memory of 808	2232	dialer.exe	12
PID 2232 wrote to memory of 848	2232	dialer.exe	13
PID 2232 wrote to memory of 960	2232	dialer.exe	15
PID 2232 wrote to memory of 236	2232	dialer.exe	16
PID 2232 wrote to memory of 272	2232	dialer.exe	17
PID 2232 wrote to memory of 1028	2232	dialer.exe	18
PID 2232 wrote to memory of 1108	2232	dialer.exe	19
PID 2232 wrote to memory of 1168	2232	dialer.exe	20
PID 2232 wrote to memory of 1204	2232	dialer.exe	21
PID 2232 wrote to memory of 1052	2232	dialer.exe	23
PID 2232 wrote to memory of 1384	2232	dialer.exe	24
PID 2232 wrote to memory of 1496	2232	dialer.exe	25
PID 2232 wrote to memory of 496	2232	dialer.exe	26
PID 2232 wrote to memory of 1976	2232	dialer.exe	27
PID 2232 wrote to memory of 2832	2232	dialer.exe	32
PID 2232 wrote to memory of 2580	2232	dialer.exe	35
PID 2232 wrote to memory of 1240	2232	dialer.exe	53
PID 2232 wrote to memory of 1312	2232	dialer.exe	54
PID 2232 wrote to memory of 2344	2232	dialer.exe	55
PID 2232 wrote to memory of 2420	2232	dialer.exe	56
PID 2232 wrote to memory of 2888	2232	dialer.exe	57
PID 2232 wrote to memory of 2128	2232	dialer.exe	58
PID 2408 wrote to memory of 484	2408	cmd.exe	63
PID 2408 wrote to memory of 484	2408	cmd.exe	63
PID 2408 wrote to memory of 484	2408	cmd.exe	63
PID 476 wrote to memory of 2108	476	services.exe	64
PID 476 wrote to memory of 2108	476	services.exe	64
PID 476 wrote to memory of 2108	476	services.exe	64
PID 2232 wrote to memory of 2108	2232	dialer.exe	64
PID 2232 wrote to memory of 2408	2232	dialer.exe	59
PID 2232 wrote to memory of 2348	2232	dialer.exe	61
PID 2232 wrote to memory of 3064	2232	dialer.exe	62
PID 2232 wrote to memory of 484	2232	dialer.exe	63

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:596
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1384
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1496
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:2580
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:680
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:744
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:808
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1168
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:236
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:272
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1028
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1052
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:496
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:1976
- C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:1648
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1672
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2452
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2276
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:336
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2496
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2388
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2760

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.29918.12269.16005.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAeQB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAbAB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAZQB1ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG0AZQB4ACMAPgA="
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Users\Admin\AppData\Roaming\Miner.exe
    "C:\Users\Admin\AppData\Roaming\Miner.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:636
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Drops file in Windows directory
        
        PID:2324
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:592
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:536
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:1152
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:2100
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:3008
  - - C:\Windows\system32\dialer.exe
      C:\Windows\system32\dialer.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2232
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:1240
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2344
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:2888
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "RYVSUJUA"
      4⤵
      Launches sc.exe
      PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        5⤵
        
        PID:484
- - C:\Users\Admin\AppData\Local\Temp\Stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1400
      4⤵
      Loads dropped DLL
      Program crash
      PID:2948

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1750267745843821366-95902474112366694261014156289167641466-586473903-776378149"
1⤵
PID:1312

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "891218844-145046563612867891937570249194421014662146022426676145854924974431"
1⤵
PID:2420

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1728697890-2031183429-170494927853888300-622796535-882910446-946506861979728071"
1⤵
PID:2348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-96483463375564218-1829133577856682002-7927999302036765484-126263394573342145"
1⤵
PID:3064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-63808673-2001474999-17090664571286042588652682276881327285-18519270452072537364"
1⤵
PID:564

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "181523596-495988321931659826-1933612244-10573747561391842891-1070102518-1058864950"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-59853314-11859614411754975327-1749452161-1891055399-1015575415648020586-450171410"
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6663.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stealer.exe

Filesize
203KB

MD5
46a4e1cd3bae840958c82a7765ca3bb1

SHA1
f5239f36d37167b0d247e044e9e3c7cd88962a34

SHA256
aca8c3a961abb7db28d372d9e1d00f05784cf97e4b7d2e56b099a7eba1cbe4ee

SHA512
6818c1313db70e2b03f77a65f77878c4246dcc16f7a077390792a5f5ac3df12a078d7da0d7f2492bcf7bb68ca2ed7dff7dfdef5ebd88e41dc646016491b5afd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6676.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F2JKVXPYTRP3XDK5R416.temp

Filesize
7KB

MD5
f04c622d4dd579aab2e3de97b83e699c

SHA1
c35aad8271b8c24029d0c6094fc417fcd19ed5af

SHA256
f88b3f9240c178da2eb0e8f1ec895e3d28e4ffd11d135b857cba2e1b0cacbf44

SHA512
60017754d23df2fcd4f2be0de0299c768706b03779866bbf5d75f3ba7a8a8f9791a65ec34eb157f4a3dd7a4f4f510c122d5347f3c4807764d6c737c800a4c669

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
710d55f3d3ca732fc39af6ffc68981ed

SHA1
f5795ab6843bf05d8b845b854a7fcf566a8a6b41

SHA256
651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306

SHA512
1b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54

Download Submit
\Users\Admin\AppData\Roaming\Miner.exe

Filesize
5.3MB

MD5
99201be105bf0a4b25d9c5113da723fb

SHA1
443e6e285063f67cb46676b3951733592d569a7c

SHA256
e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2

SHA512
b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808

Download Submit
memory/432-84-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/432-87-0x0000000000BC0000-0x0000000000BEB000-memory.dmp

Filesize
172KB

Download
memory/432-86-0x0000000000B90000-0x0000000000BB4000-memory.dmp

Filesize
144KB

Download
memory/432-88-0x000007FEBF930000-0x000007FEBF940000-memory.dmp

Filesize
64KB

Download
memory/432-89-0x00000000379C0000-0x00000000379D0000-memory.dmp

Filesize
64KB

Download
memory/476-102-0x000007FEBF930000-0x000007FEBF940000-memory.dmp

Filesize
64KB

Download
memory/476-104-0x00000000379C0000-0x00000000379D0000-memory.dmp

Filesize
64KB

Download
memory/476-100-0x0000000000D10000-0x0000000000D3B000-memory.dmp

Filesize
172KB

Download
memory/492-97-0x00000000000C0000-0x00000000000EB000-memory.dmp

Filesize
172KB

Download
memory/492-98-0x000007FEBF930000-0x000007FEBF940000-memory.dmp

Filesize
64KB

Download
memory/492-99-0x00000000379C0000-0x00000000379D0000-memory.dmp

Filesize
64KB

Download
memory/2172-25-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-2-0x000007FEF6230000-0x000007FEF6C1C000-memory.dmp

Filesize
9.9MB

Download
memory/2172-0-0x000007FEF6233000-0x000007FEF6234000-memory.dmp

Filesize
4KB

Download
memory/2172-1-0x00000000011A0000-0x000000000171C000-memory.dmp

Filesize
5.5MB

Download
memory/2232-81-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-75-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-74-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-73-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-76-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2232-79-0x0000000077980000-0x0000000077B29000-memory.dmp

Filesize
1.7MB

Download
memory/2232-80-0x0000000077860000-0x000000007797F000-memory.dmp

Filesize
1.1MB

Download
memory/2748-9-0x0000000002F30000-0x0000000002FB0000-memory.dmp

Filesize
512KB

Download
memory/2748-23-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2748-24-0x00000000003F0000-0x00000000003F8000-memory.dmp

Filesize
32KB

Download
memory/2868-71-0x00000000028A0000-0x00000000028A8000-memory.dmp

Filesize
32KB

Download
memory/2868-70-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/3012-320-0x0000000000D80000-0x0000000000D88000-memory.dmp

Filesize
32KB

Download
memory/3012-311-0x0000000019E90000-0x000000001A172000-memory.dmp

Filesize
2.9MB

Download