vidar | e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
Size

1.3MB
MD5

13476835b5465cf91e4dd7e60e110e56
SHA1

38af4e6440237a3f0f7eb8378a9f82ea473fc9a4
SHA256

e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6
SHA512

90635bef1cfd86608c757270f45658b9aacf582afa249a58b046f533c00925851dc9e6cbd04cf54b7ae55965cc25dd94eac90a7b78b7a4a6da32ad5bbc74f74b
SSDEEP

24576:CMF7WKYDIOMJRvFadXXUfTwrlWB4Zsasxb3+PcRmJDh/:evDIOMJG9kil7bsxZIJDh/

Score

10^/10

vidar 744fd163d6d4e0ac37e4032bcbfbb6af credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

744fd163d6d4e0ac37e4032bcbfbb6af

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Signatures

Detect Vidar Stealer 11 IoCs

stealer

resource	yara_rule
behavioral1/memory/2792-41-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-40-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-42-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-183-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-202-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-231-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-250-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-381-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-400-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-443-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7
behavioral1/memory/2792-462-0x0000000005C10000-0x0000000005E86000-memory.dmp	family_vidar_v7

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 2792 created 1368	2792	Kim.pif	21
PID 2792 created 1368	2792	Kim.pif	21

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncWave.url	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncWave.url	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2792	Kim.pif

Loads dropped DLL 3 IoCs

pid	Process
1680	cmd.exe
2792	Kim.pif
2792	Kim.pif

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1720	tasklist.exe
2764	tasklist.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\FortDesigns	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\VitaminUw	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\SureRow	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\MotherboardWash	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\BiteBoulevard	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\OrchestraOut	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\PicturesFuck	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\CountedSexo	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
File opened for modification	C:\Windows\GoodsReturned	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kim.pif
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Kim.pif
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Kim.pif

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1728	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Kim.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Kim.pif
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Kim.pif

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2552	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2792	Kim.pif
2792	Kim.pif
2792	Kim.pif

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 1680	2108	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe	30
PID 2108 wrote to memory of 1680	2108	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe	30
PID 2108 wrote to memory of 1680	2108	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe	30
PID 2108 wrote to memory of 1680	2108	e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe	30
PID 1680 wrote to memory of 1720	1680	cmd.exe	33
PID 1680 wrote to memory of 1720	1680	cmd.exe	33
PID 1680 wrote to memory of 1720	1680	cmd.exe	33
PID 1680 wrote to memory of 1720	1680	cmd.exe	33
PID 1680 wrote to memory of 1436	1680	cmd.exe	34
PID 1680 wrote to memory of 1436	1680	cmd.exe	34
PID 1680 wrote to memory of 1436	1680	cmd.exe	34
PID 1680 wrote to memory of 1436	1680	cmd.exe	34
PID 1680 wrote to memory of 2764	1680	cmd.exe	36
PID 1680 wrote to memory of 2764	1680	cmd.exe	36
PID 1680 wrote to memory of 2764	1680	cmd.exe	36
PID 1680 wrote to memory of 2764	1680	cmd.exe	36
PID 1680 wrote to memory of 2796	1680	cmd.exe	37
PID 1680 wrote to memory of 2796	1680	cmd.exe	37
PID 1680 wrote to memory of 2796	1680	cmd.exe	37
PID 1680 wrote to memory of 2796	1680	cmd.exe	37
PID 1680 wrote to memory of 2748	1680	cmd.exe	38
PID 1680 wrote to memory of 2748	1680	cmd.exe	38
PID 1680 wrote to memory of 2748	1680	cmd.exe	38
PID 1680 wrote to memory of 2748	1680	cmd.exe	38
PID 1680 wrote to memory of 2708	1680	cmd.exe	39
PID 1680 wrote to memory of 2708	1680	cmd.exe	39
PID 1680 wrote to memory of 2708	1680	cmd.exe	39
PID 1680 wrote to memory of 2708	1680	cmd.exe	39
PID 1680 wrote to memory of 2684	1680	cmd.exe	40
PID 1680 wrote to memory of 2684	1680	cmd.exe	40
PID 1680 wrote to memory of 2684	1680	cmd.exe	40
PID 1680 wrote to memory of 2684	1680	cmd.exe	40
PID 1680 wrote to memory of 2792	1680	cmd.exe	41
PID 1680 wrote to memory of 2792	1680	cmd.exe	41
PID 1680 wrote to memory of 2792	1680	cmd.exe	41
PID 1680 wrote to memory of 2792	1680	cmd.exe	41
PID 1680 wrote to memory of 2860	1680	cmd.exe	42
PID 1680 wrote to memory of 2860	1680	cmd.exe	42
PID 1680 wrote to memory of 2860	1680	cmd.exe	42
PID 1680 wrote to memory of 2860	1680	cmd.exe	42
PID 2792 wrote to memory of 2416	2792	Kim.pif	43
PID 2792 wrote to memory of 2416	2792	Kim.pif	43
PID 2792 wrote to memory of 2416	2792	Kim.pif	43
PID 2792 wrote to memory of 2416	2792	Kim.pif	43
PID 2792 wrote to memory of 2720	2792	Kim.pif	45
PID 2792 wrote to memory of 2720	2792	Kim.pif	45
PID 2792 wrote to memory of 2720	2792	Kim.pif	45
PID 2792 wrote to memory of 2720	2792	Kim.pif	45
PID 2416 wrote to memory of 2552	2416	cmd.exe	47
PID 2416 wrote to memory of 2552	2416	cmd.exe	47
PID 2416 wrote to memory of 2552	2416	cmd.exe	47
PID 2416 wrote to memory of 2552	2416	cmd.exe	47
PID 2792 wrote to memory of 2344	2792	Kim.pif	49
PID 2792 wrote to memory of 2344	2792	Kim.pif	49
PID 2792 wrote to memory of 2344	2792	Kim.pif	49
PID 2792 wrote to memory of 2344	2792	Kim.pif	49
PID 2344 wrote to memory of 1728	2344	cmd.exe	51
PID 2344 wrote to memory of 1728	2344	cmd.exe	51
PID 2344 wrote to memory of 1728	2344	cmd.exe	51
PID 2344 wrote to memory of 1728	2344	cmd.exe	51

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368
- C:\Users\Admin\AppData\Local\Temp\e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe
  "C:\Users\Admin\AppData\Local\Temp\e84f3f36aa22f8b7f7399ce57c68014ea23140e88755516db02b5e056d18dad6.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2108
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c move Devil Devil.bat & Devil.bat
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "wrsa opssvc"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1436
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2764
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c md 285204
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V "AugQualificationDepthWidth" Course
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c copy /b ..\Hb + ..\Rapid + ..\London + ..\Royal + ..\Charter + ..\Deck + ..\Pichunter + ..\Killing N
      4⤵
      System Location Discovery: System Language Discovery
      PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\285204\Kim.pif
      Kim.pif N
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\FIIEGDBAEBFI" & exit
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1728
  - - C:\Windows\SysWOW64\choice.exe
      choice /d y /t 5
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks.exe /create /tn "Practices" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DataWave Sphere Co\SyncWave.js'" /sc minute /mo 5 /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /create /tn "Practices" /tr "wscript //B 'C:\Users\Admin\AppData\Local\DataWave Sphere Co\SyncWave.js'" /sc minute /mo 5 /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncWave.url" & echo URL="C:\Users\Admin\AppData\Local\DataWave Sphere Co\SyncWave.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SyncWave.url" & exit
  2⤵
  - Drops startup file
  - System Location Discovery: System Language Discovery
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\285204\N

Filesize
570KB

MD5
2fa0ad6b54cc96a82097293820a6c8f8

SHA1
cc691ac7cb82d6ef144c59b6ad0944bd57813c38

SHA256
62834a6dad4f88b12d055896e14ed6638acdc2399a35b96a5df66c6f7ed72fef

SHA512
c1d6dedfc71aba9d84832f2b4235d5ce2ddb4b79cce6991c1416ba0b6ebf4227010ea71cc9e846a6d3a8d445a1ff1b03af0f8b7143fa767fe73f4b9074c38539

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB7AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Charter

Filesize
89KB

MD5
ec287f03de31d75d7b65333ad856d57d

SHA1
65b43b521b8afba6d9d3c325f71ef104ba1212f8

SHA256
4781b721205bcc4a912534f0f006acc8f49f220909b45c82e5d70ca718e80b84

SHA512
7e560fd33df0f4d8a1c9f954447dd29a8311a9dad6ef3ca3984c102b9a01952028ba146729e080f0de8bf3287f05d510af684000d3f6bfdfe921ee9b6b2629d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Course

Filesize
6KB

MD5
6da24f141475e1c94d0baa534671730e

SHA1
699de571854c9eab964ddde0c12f07818259017e

SHA256
71ac8f4534eb924876822260553e2c5fdfee7fc9a50790ffd3842339d8a33e35

SHA512
49cd5899f209632ac7ef1fd89b5190afa7cccbd78bf87036de2fa8c384d33e9296e9a66476c14c18f9a4ed4cf14cbba8942ddc5c4af90396a494c581195df95f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deck

Filesize
95KB

MD5
5bdef9e70fa8aac0118e96d47f1e1dbc

SHA1
0989482c6280bf460219d35a1824d760cd9ed3e0

SHA256
75f00c8c8a5841c48d383384ed01d0d9fea056fc8bb6b7e275e3a29edf37fa7b

SHA512
83c8fb674878a41fb47ceaa999672910e02e1be6c1c0cdfbd89cb0252a7758b3f7c9620d85e749b57ff7589b5d4d5a8fb4a7f9830add8d4406f65aa4ea0cbd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Devil

Filesize
24KB

MD5
97d7d087cf461ff97c4a4438102c1016

SHA1
8b06c86ad5643e7f2a7300a0823711e9ba436963

SHA256
d97e4faaa2b3f23b147a2a626634794e9e853a3e661472502d6d786edb1c6c7a

SHA512
16c2ae7de0fbba2b2b6f0e5073d4bccd998cc972052f85fbfa70f448aa43634d51b50bffcfdd155bfad0111035067385414b7f94722eb3ae0c5939f934e864f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hb

Filesize
69KB

MD5
ef5519b0e3d69ac10317974081e12222

SHA1
49ed090bb19c951090b1633e2fd843c949951f07

SHA256
3c4f40140a71ecfde55326f84ca878e5c1a101d457107da13017f5670c6a5bb4

SHA512
0cb1cde599e6a93fe2ff68309086fd82c5ccd6cac966504ade451026a8da2f0442ee80fd873fbffdaecf18d8ab729317bdc017dd3744fbd744fa5b892b70951c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Herself

Filesize
866KB

MD5
352d59010c3a1ad07c6cc631429c3898

SHA1
d84012a103d428bda710012a40b5acd5aa2e8f05

SHA256
f9d2fe0dff05d8485cc1104e64940673055bd2ee3ff90297dad183fb6356eae3

SHA512
cfa507f35ab27e942e756c1d60599926706730bf207b5ebeb46702e52ce67428f16a22c4e7565d66992b69b26f76f651dda2bf17b6ef36592aff57e0587e343d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killing

Filesize
13KB

MD5
a3dbd9ae326c770abcc54b0fdd7a22eb

SHA1
97d0e17dc71226a7816e1cbb3e070fa8a4872ff6

SHA256
f63d2eb292cab30f8e1ab7d9e2ed7b3b19b2be588da4fed455265ea9a6264a11

SHA512
5adda01b4500af1f5c09f0a78db320cf7611e6b595d2d9ebc907b5f70dcd4277d11d0056e4ac66fc72f3347088f14650635ba6a7ab8c8438772a52e3966fca71

Download Submit
C:\Users\Admin\AppData\Local\Temp\London

Filesize
75KB

MD5
463606075e8bc9b04f96c6f893469f91

SHA1
4fe270343a5a65b1357a0ff96f1d474cfd97bbea

SHA256
af8444e8ee47f86fb80bcca4b65c0e2db813240a6479a44ed7c0d4ad310d43e2

SHA512
0a440cc3052460b32ff289a897eb641568811572376d466cbdba786c02c585e25c2699aef7860ffcb460933f62d120255bbdfe6926135a5c5fe56b3a910e550d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pichunter

Filesize
91KB

MD5
9b7919ea2318bec3ef9666c982b77119

SHA1
55e2940fc3dc8f377b16ee06c58ee066e7e766f0

SHA256
02f813b83cd0126e876f387ac82b51289a9888e7b142fe41a543aaf57e91d225

SHA512
e5619ba41d1380d853fcb519dd7acaea1d9946a5f336241a0f396c75c20499a8da72487b6fb0713edf923ba79580425211d0f00e1ff650486d43f16c2e18c2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rapid

Filesize
68KB

MD5
78a2388d3143b203f0d68eda1962fd9c

SHA1
743bc34a72ed75189c491f5c14dcfe3ce3f4f434

SHA256
3739a2c7bf513612f2d616bb10b0221512fa4cce0222441d7ba96ffdfb553387

SHA512
e9dc06b5bdef912d33b129fad85561083ee8e56052929e5fe4dde9ed02d65fa6d2c3218ff045abbe7770a662959af00dff6a56b84f684cc0f00451b77e764255

Download Submit
C:\Users\Admin\AppData\Local\Temp\Royal

Filesize
70KB

MD5
f81ed71b4707976f2074491adb2e4f3c

SHA1
3bc06f946916884ddc04bf534deb823ac94e34e8

SHA256
207eb1026caac4ee644f3b7e1be0d455ac93298b07e329371e1bbd81cc6dc50e

SHA512
28eb57f3a5bbb52a865744c999a11345360a2332d1e5a52b70db58b410944f387c4ba3d5a0bcded792909848d7693f898cb66900d0e94c74994bf1a1d71648e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB81E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
\Users\Admin\AppData\Local\Temp\285204\Kim.pif

Filesize
872KB

MD5
18ce19b57f43ce0a5af149c96aecc685

SHA1
1bd5ca29fc35fc8ac346f23b155337c5b28bbc36

SHA256
d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd

SHA512
a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558

Download Submit
memory/2792-41-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-42-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-40-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-38-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-183-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-202-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-222-0x0000000015B40000-0x0000000015D9F000-memory.dmp

Filesize
2.4MB

Download
memory/2792-231-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-250-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-37-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-39-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-381-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-400-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-443-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download
memory/2792-462-0x0000000005C10000-0x0000000005E86000-memory.dmp

Filesize
2.5MB

Download