Analysis
-
max time kernel
34s -
max time network
38s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
19-10-2024 16:18
Static task
static1
Behavioral task
behavioral1
Sample
res.js
Resource
win11-20241007-en
General
-
Target
res.js
-
Size
4KB
-
MD5
440c1565f02140aa1b10af7a682d0bd6
-
SHA1
c1b8cd858d6656bd63f78cde6479d55c45bc25d5
-
SHA256
d58a43177a96c7ba99b18b092b2328e0d1992bb6297f9d88c07479a57d1b960d
-
SHA512
cf9199c3d39f970e4b6e42e14945b87f7bf99551a034c8eca5bc039b9328b081fd31efe4c772fef4aa0e87b7255b8a02230ee86ef95c4d67e71b9818c0012ac0
-
SSDEEP
96:C7qdfKkxWtLqSXpd5mokVew2e3jzwuuHC0MPF6XBm5YaWxMR4GTBMh8lCfIxj6fQ:VrsIYXmoqMe3bEdMt6sY7e4GTrv9VV
Malware Config
Extracted
vidar
11.1
65158feadb3cebfa5c9a9e36f0d461fe
https://t.me/fun88rockskek
https://steamcommunity.com/profiles/76561199786602107
https://t.me/lpnjoke
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0
Signatures
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral1/memory/4828-37-0x0000000000920000-0x0000000000B96000-memory.dmp family_vidar_v7 behavioral1/memory/3748-38-0x0000000000400000-0x0000000000919000-memory.dmp family_vidar_v7 behavioral1/memory/3748-39-0x0000000000400000-0x0000000000919000-memory.dmp family_vidar_v7 behavioral1/memory/4828-41-0x0000000000920000-0x0000000000B96000-memory.dmp family_vidar_v7 -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 5600 wscript.exe 3 5600 wscript.exe 4 5600 wscript.exe 5 5600 wscript.exe -
Executes dropped EXE 2 IoCs
pid Process 3748 tp3host.exe 4828 tp3host.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Windows\CurrentVersion\Run\AttoDesignerEditor = "C:\\Users\\Admin\\Music\\AttoDesignerUpdater\\AttoConvertVideo.exe" tp3host.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tp3host.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tp3host.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 4828 tp3host.exe 4828 tp3host.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5204 Taskmgr.exe Token: SeSystemProfilePrivilege 5204 Taskmgr.exe Token: SeCreateGlobalPrivilege 5204 Taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe 5204 Taskmgr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 5600 wrote to memory of 3748 5600 wscript.exe 79 PID 5600 wrote to memory of 3748 5600 wscript.exe 79 PID 5600 wrote to memory of 3748 5600 wscript.exe 79 PID 3748 wrote to memory of 4828 3748 tp3host.exe 81 PID 3748 wrote to memory of 4828 3748 tp3host.exe 81 PID 3748 wrote to memory of 4828 3748 tp3host.exe 81 PID 3748 wrote to memory of 4828 3748 tp3host.exe 81 PID 3748 wrote to memory of 4828 3748 tp3host.exe 81
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\res.js1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:5600 -
C:\Users\Admin\AppData\Local\Temp\tp3host.exe"C:\Users\Admin\AppData\Local\Temp\tp3host.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\tp3host.exe"C:\Users\Admin\AppData\Local\Temp\tp3host.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4828
-
-
-
C:\Windows\System32\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5204
Network
-
Remote address:8.8.8.8:53Requestgiantowl.flywheelsites.comIN AResponsegiantowl.flywheelsites.comIN A151.101.2.159
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Requestctldl.windowsupdate.comIN AResponsectldl.windowsupdate.comIN CNAMEctldl.windowsupdate.com.delivery.microsoft.comctldl.windowsupdate.com.delivery.microsoft.comIN CNAMEwu-b-net.trafficmanager.netwu-b-net.trafficmanager.netIN CNAMEdownload.windowsupdate.com.edgesuite.netdownload.windowsupdate.com.edgesuite.netIN CNAMEa767.dspw65.akamai.neta767.dspw65.akamai.netIN A2.23.210.83a767.dspw65.akamai.netIN A2.23.210.88
-
Remote address:8.8.8.8:53Request159.2.101.151.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestocsp.comodoca.comIN AResponseocsp.comodoca.comIN CNAMEocsp.comodoca.com.cdn.cloudflare.netocsp.comodoca.com.cdn.cloudflare.netIN A104.18.38.233ocsp.comodoca.com.cdn.cloudflare.netIN A172.64.149.23
-
Remote address:8.8.8.8:53Requestocsp.usertrust.comIN AResponseocsp.usertrust.comIN CNAMEocsp.comodoca.com.cdn.cloudflare.netocsp.comodoca.com.cdn.cloudflare.netIN A172.64.149.23ocsp.comodoca.com.cdn.cloudflare.netIN A104.18.38.233
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTRResponse83.210.23.2.in-addr.arpaIN PTRa2-23-210-83deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request83.210.23.2.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request233.38.18.104.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request233.38.18.104.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request23.149.64.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request23.149.64.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Requestt.meIN AResponset.meIN A149.154.167.99
-
Remote address:8.8.8.8:53Request99.167.154.149.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Requestocsp.godaddy.comIN AResponseocsp.godaddy.comIN CNAMEocsp.godaddy.com.akadns.netocsp.godaddy.com.akadns.netIN A192.124.249.22ocsp.godaddy.com.akadns.netIN A192.124.249.36ocsp.godaddy.com.akadns.netIN A192.124.249.23ocsp.godaddy.com.akadns.netIN A192.124.249.41ocsp.godaddy.com.akadns.netIN A192.124.249.24
-
Remote address:8.8.8.8:53Requestocsp.godaddy.comIN A
-
Remote address:8.8.8.8:53Requestocsp.godaddy.comIN A
-
Remote address:8.8.8.8:53Requestocsp.godaddy.comIN A
-
Remote address:8.8.8.8:53Requestocsp.godaddy.comIN A
-
191.9kB 5.4MB 3887 3879
-
1.4kB 6.7kB 16 11
-
546 B 1.0kB 8 7
DNS Request
giantowl.flywheelsites.com
DNS Response
151.101.2.159
DNS Request
8.8.8.8.in-addr.arpa
DNS Request
ctldl.windowsupdate.com
DNS Response
2.23.210.832.23.210.88
DNS Request
159.2.101.151.in-addr.arpa
DNS Request
ocsp.comodoca.com
DNS Response
104.18.38.233172.64.149.23
DNS Request
ocsp.usertrust.com
DNS Response
172.64.149.23104.18.38.233
DNS Request
83.210.23.2.in-addr.arpa
DNS Request
83.210.23.2.in-addr.arpa
-
144 B 134 B 2 1
DNS Request
233.38.18.104.in-addr.arpa
DNS Request
233.38.18.104.in-addr.arpa
-
144 B 134 B 2 1
DNS Request
23.149.64.172.in-addr.arpa
DNS Request
23.149.64.172.in-addr.arpa
-
433 B 415 B 7 3
DNS Request
t.me
DNS Response
149.154.167.99
DNS Request
99.167.154.149.in-addr.arpa
DNS Request
ocsp.godaddy.com
DNS Request
ocsp.godaddy.com
DNS Request
ocsp.godaddy.com
DNS Request
ocsp.godaddy.com
DNS Request
ocsp.godaddy.com
DNS Response
192.124.249.22192.124.249.36192.124.249.23192.124.249.41192.124.249.24
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.0MB
MD56733924c670207ed7755dc0fe2286c36
SHA12fea9c1b0c3b0a923232dbcadcfc661bb08031d0
SHA256a555018ed03a0b191f64f625b75cebd9f62c194c7b1c1a66b91266f2f1c1b6c4
SHA512692d642223ddcff9e75e0d76437fbc760f9a356609fc4c3cccdddbdeb453f2bf04ce8438c3820b4445c320840a28f86215da880f1d8fe96dc9f65567e4505e67