vidar | 017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-10-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Size

5.5MB
MD5

2b74fd898c6ca79faa64f3d9cae268d4
SHA1

206353bb5b604968e4821e115748f9aa3df6a671
SHA256

017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455
SHA512

d7e7744acf93868df00ac8be04dd4f35dbd9ec984f69899fa815692b41911f3a7dc8d81d2f12ee72a6b945f83db21fc50665769da5d3fb205ef25b8ddd151ac7
SSDEEP

98304:QoxgTUyKDV4dn82Ytf6IkQHWmXneKPpfmncntCkHx+Ji3MLepmWr34Dfr:NyKx4dn82Ytyz1yNpfmn+tCux+8m9M4D

Score

10^/10

vidar d165eae423b0d6c5abd85327c20d845d defense_evasion discovery evasion execution persistence stealer

Malware Config

Extracted

Family

vidar

Version

8.4

Botnet

d165eae423b0d6c5abd85327c20d845d

https://steamcommunity.com/profiles/76561199654112719

https://t.me/r2d0s

Attributes

profile_id_v2
d165eae423b0d6c5abd85327c20d845d
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Signatures

Detect Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000700000001868b-12.dat	family_vidar_v7

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection	svchost.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe
2456	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	Miner.exe
File created	C:\Windows\system32\drivers\etc\hosts	whrbuflqwhah.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\RYVSUJUA\ImagePath = "C:\\ProgramData\\trmrjvadsnmf\\whrbuflqwhah.exe"	services.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
1480	Payload.exe
2200	build.exe
2768	Miner.exe
2760	Shortcutter.exe
1592	whrbuflqwhah.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

description	ioc	Process
File opened for modification	C:\Windows\System32\Winevt\Logs\Setup.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx	svchost.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
1480	Payload.exe
1480	Payload.exe
1480	Payload.exe
476	services.exe
476	services.exe

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	Miner.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	whrbuflqwhah.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 772	2768	Miner.exe	57
PID 1592 set thread context of 2448	1592	whrbuflqwhah.exe	85
PID 1592 set thread context of 2000	1592	whrbuflqwhah.exe	86
PID 1592 set thread context of 1976	1592	whrbuflqwhah.exe	87

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\build.exe	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
File created	C:\Windows\wusa.lock	wusa.exe
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1140	sc.exe
2660	sc.exe
2936	sc.exe
2780	sc.exe
1264	sc.exe
1960	sc.exe
1856	sc.exe
1972	sc.exe
1796	sc.exe
3048	sc.exe
1632	sc.exe
352	sc.exe
2208	sc.exe
2820	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1272	2200	WerFault.exe	34

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0ab5034c123db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs	dialer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs	dialer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	powershell.exe
3012	powershell.exe
2768	Miner.exe
2884	powershell.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
2768	Miner.exe
772	dialer.exe
772	dialer.exe
2768	Miner.exe
2768	Miner.exe
2768	Miner.exe
772	dialer.exe
772	dialer.exe
1592	whrbuflqwhah.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
2456	powershell.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
772	dialer.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
772	dialer.exe
772	dialer.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
1592	whrbuflqwhah.exe
2448	dialer.exe
2448	dialer.exe
2448	dialer.exe
2448	dialer.exe
1592	whrbuflqwhah.exe
2448	dialer.exe
2448	dialer.exe
2448	dialer.exe
2448	dialer.exe
2448	dialer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	2760	Shortcutter.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	772	dialer.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2448	dialer.exe
Token: SeLockMemoryPrivilege	1976	dialer.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe
Token: SeBackupPrivilege	848	svchost.exe
Token: SeRestorePrivilege	848	svchost.exe
Token: SeShutdownPrivilege	848	svchost.exe
Token: SeSystemEnvironmentPrivilege	848	svchost.exe
Token: SeUndockPrivilege	848	svchost.exe
Token: SeManageVolumePrivilege	848	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	848	svchost.exe
Token: SeIncreaseQuotaPrivilege	848	svchost.exe
Token: SeSecurityPrivilege	848	svchost.exe
Token: SeTakeOwnershipPrivilege	848	svchost.exe
Token: SeLoadDriverPrivilege	848	svchost.exe
Token: SeSystemtimePrivilege	848	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 3012	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2528 wrote to memory of 3012	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2528 wrote to memory of 3012	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2528 wrote to memory of 3012	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	31
PID 2528 wrote to memory of 1480	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	33
PID 2528 wrote to memory of 1480	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	33
PID 2528 wrote to memory of 1480	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	33
PID 2528 wrote to memory of 1480	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	33
PID 2528 wrote to memory of 2200	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	34
PID 2528 wrote to memory of 2200	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	34
PID 2528 wrote to memory of 2200	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	34
PID 2528 wrote to memory of 2200	2528	017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe	34
PID 1480 wrote to memory of 2844	1480	Payload.exe	35
PID 1480 wrote to memory of 2844	1480	Payload.exe	35
PID 1480 wrote to memory of 2844	1480	Payload.exe	35
PID 1480 wrote to memory of 2844	1480	Payload.exe	35
PID 1480 wrote to memory of 2768	1480	Payload.exe	37
PID 1480 wrote to memory of 2768	1480	Payload.exe	37
PID 1480 wrote to memory of 2768	1480	Payload.exe	37
PID 1480 wrote to memory of 2768	1480	Payload.exe	37
PID 1480 wrote to memory of 2760	1480	Payload.exe	38
PID 1480 wrote to memory of 2760	1480	Payload.exe	38
PID 1480 wrote to memory of 2760	1480	Payload.exe	38
PID 1480 wrote to memory of 2760	1480	Payload.exe	38
PID 2200 wrote to memory of 1272	2200	build.exe	41
PID 2200 wrote to memory of 1272	2200	build.exe	41
PID 2200 wrote to memory of 1272	2200	build.exe	41
PID 2200 wrote to memory of 1272	2200	build.exe	41
PID 3032 wrote to memory of 1940	3032	cmd.exe	50
PID 3032 wrote to memory of 1940	3032	cmd.exe	50
PID 3032 wrote to memory of 1940	3032	cmd.exe	50
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 2768 wrote to memory of 772	2768	Miner.exe	57
PID 772 wrote to memory of 432	772	dialer.exe	5
PID 772 wrote to memory of 476	772	dialer.exe	6
PID 772 wrote to memory of 492	772	dialer.exe	7
PID 772 wrote to memory of 500	772	dialer.exe	8
PID 772 wrote to memory of 592	772	dialer.exe	9
PID 772 wrote to memory of 676	772	dialer.exe	10
PID 772 wrote to memory of 740	772	dialer.exe	11
PID 772 wrote to memory of 820	772	dialer.exe	12
PID 772 wrote to memory of 848	772	dialer.exe	13
PID 772 wrote to memory of 972	772	dialer.exe	15
PID 772 wrote to memory of 276	772	dialer.exe	16
PID 772 wrote to memory of 328	772	dialer.exe	17
PID 772 wrote to memory of 1064	772	dialer.exe	18
PID 772 wrote to memory of 1108	772	dialer.exe	19
PID 772 wrote to memory of 1172	772	dialer.exe	20
PID 772 wrote to memory of 1196	772	dialer.exe	21
PID 772 wrote to memory of 556	772	dialer.exe	23
PID 772 wrote to memory of 840	772	dialer.exe	24
PID 772 wrote to memory of 1636	772	dialer.exe	25
PID 772 wrote to memory of 2544	772	dialer.exe	26
PID 772 wrote to memory of 2292	772	dialer.exe	27
PID 772 wrote to memory of 2768	772	dialer.exe	37
PID 772 wrote to memory of 2760	772	dialer.exe	38
PID 772 wrote to memory of 1752	772	dialer.exe	40
PID 772 wrote to memory of 1632	772	dialer.exe	58
PID 772 wrote to memory of 904	772	dialer.exe	59

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:432

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
- Sets service image path in registry
- Loads dropped DLL
PID:476
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:840
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1636
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
    3⤵
    - Checks processor information in registry
    PID:1752
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:1320
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:676
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  - Modifies security service
  - Indicator Removal: Clear Windows Event Logs
  PID:740
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:820
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1172
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:276
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1064
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1108
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:556
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2544
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2292
- C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2528
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2784
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2208
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2780
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1264
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1796
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:2000
- - C:\Windows\system32\dialer.exe
    dialer.exe
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:1976

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:492

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:500

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196
- C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe
  "C:\Users\Admin\AppData\Local\Temp\017b15febc04189f8450a52455fe65f942ef1d31d2f8a1e1492b964eff14c455.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYgBqACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHoAcwB2ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGwAagB5ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAG4AcQBsACMAPgA="
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3012
- - C:\Users\Admin\AppData\Roaming\Payload.exe
    "C:\Users\Admin\AppData\Roaming\Payload.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1480
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAZQBzACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGoAcQBoACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGYAZwBmACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAaABlACMAPgA="
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2844
  - - C:\Users\Admin\AppData\Roaming\Miner.exe
      "C:\Users\Admin\AppData\Roaming\Miner.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3032
      - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        6⤵
        Drops file in Windows directory
        
        PID:1940
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop UsoSvc
        5⤵
        Launches sc.exe
        
        PID:3048
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        
        PID:1140
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop wuauserv
        5⤵
        Launches sc.exe
        
        PID:1960
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop bits
        5⤵
        Launches sc.exe
        
        PID:1856
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop dosvc
        5⤵
        Launches sc.exe
        
        PID:1972
    - - C:\Windows\system32\dialer.exe
        
        C:\Windows\system32\dialer.exe
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:772
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe delete "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:1632
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe create "RYVSUJUA" binpath= "C:\ProgramData\trmrjvadsnmf\whrbuflqwhah.exe" start= "auto"
        5⤵
        Launches sc.exe
        
        PID:2660
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe stop eventlog
        5⤵
        Launches sc.exe
        
        PID:352
    - - C:\Windows\system32\sc.exe
        
        C:\Windows\system32\sc.exe start "RYVSUJUA"
        5⤵
        Launches sc.exe
        
        PID:2936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\Miner.exe"
        5⤵
        
        PID:2152
      - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 3
        6⤵
        
        PID:1612
  - - C:\Users\Admin\AppData\Roaming\Shortcutter.exe
      "C:\Users\Admin\AppData\Roaming\Shortcutter.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2760
- - C:\Windows\build.exe
    "C:\Windows\build.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 1388
      4⤵
      Program crash
      PID:1272

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "770635598-689287388-923223064701091871-1473712830-78600242812543464561026744451"
1⤵
PID:904

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "371303785-1756701772189040301789603567-987859875-1098802582-1109791061-1760695818"
1⤵
PID:2188

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1612783420125846872-132669619616749451961388610523-1035118165-1019678811641544785"
1⤵
PID:2916

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-39390333-1474348127306397653-135315512987591778456277687260294957781744717"
1⤵
PID:2928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-672572833-9480255021621462498-1508592931597472469-12356079001918247961996776128"
1⤵
PID:2064

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1953340743-448571263-267276059-1077187989-11325555661419560818-1097754186285779561"
1⤵
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Modify Registry

T1112

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabD7F9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD84A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d002f6bc23d15369ac61587de08ab629

SHA1
ff826b753def36f0a5cba1605b0236b1f626d4dd

SHA256
0f2fed5b35b7e7c21c2f4bb07c9a00fddd3269592dc0aa51450ce7a08b9be735

SHA512
1582bd31c42b0860b5b340bf341a931d64cd9501648162d832ab17f128f862ae9157f99aebc343e60f0827f8c9c0659984f5717cf3632eacdf7672545f343e56

Download Submit
C:\Users\Admin\AppData\Roaming\Miner.exe

Filesize
5.3MB

MD5
99201be105bf0a4b25d9c5113da723fb

SHA1
443e6e285063f67cb46676b3951733592d569a7c

SHA256
e4eda2de1dab7a3891b0ed6eff0ccd905ff4b275150004c6eb5f1d6582eea9a2

SHA512
b57ae7282f2798cbf231f8ca6081b5fab10068566a49f0ad735e8408ccd73d77efb5c26a48b7591e20711f0adbd9e619b40078b9c51d31b7a9768104529e7808

Download Submit
C:\Users\Admin\AppData\Roaming\Payload.exe

Filesize
5.3MB

MD5
b59631e064541c8651576128708e50f9

SHA1
7aae996d4990f37a48288fa5f15a7889c3ff49b3

SHA256
4e5fcc788287580ed19402eadaab8c69ca5f0a904ead605153feb534bbe87002

SHA512
571a06f0ec88fe3697388195dd0a7f7e8d63945748855d928fb5005b51fd2c2baea1a63bd871ed0cfade5eabb879f577b7b04f9cd4d1222de52da641feee1f92

Download Submit
C:\Windows\build.exe

Filesize
188KB

MD5
ffe5ff4a06e3a7696484bbce8f3ade91

SHA1
af919d9b6b7abef80fb5c85498ffc5ec0c0ae394

SHA256
b256448e3219b2b7033b4c214c78b02db0d4e000f943fc98dffede3d8a6a7cf3

SHA512
bfeb89c2b5e7420d48879d010cfe2f4d587f1d43612fd3ab489988092d11dfd4796a306c5a4b8a6be8b78ebde2e0561bae3ee5e1d4a827aa43db8e13d55cc9a4

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
710d55f3d3ca732fc39af6ffc68981ed

SHA1
f5795ab6843bf05d8b845b854a7fcf566a8a6b41

SHA256
651618095b62236fcd605652b4ee1e92886ffc38d72660149030b25f2ace3306

SHA512
1b8f40d21a3674ec23b67501fb4305d1bdd8cb7c3837d43014585a185e1aa9c3f9405c8429f85f4f76df80ecfc071ad6ac4a85d8581481bd88fd0f8c7e188e54

Download Submit
\Users\Admin\AppData\Roaming\Shortcutter.exe

Filesize
50KB

MD5
4ce8fc5016e97f84dadaf983cca845f2

SHA1
0d6fb5a16442cf393d5658a9f40d2501d8fd725c

SHA256
f4da7f22e8eb28cfd8ecb0c3fdc8923b2ba5c5e96b917cbcf53b6bbed1c22551

SHA512
4adeb4774ca136a085bc92cf6f02aa340f927ae12e1db90e8a2be69ef045611d333904ef5714c876ab03f8bcc52ee0140e724bd1659b9cf9eacf0a7d6a7bdd46

Download Submit
memory/432-91-0x0000000000BD0000-0x0000000000BFB000-memory.dmp

Filesize
172KB

Download
memory/432-88-0x0000000000BA0000-0x0000000000BC4000-memory.dmp

Filesize
144KB

Download
memory/432-92-0x000007FEBDD00000-0x000007FEBDD10000-memory.dmp

Filesize
64KB

Download
memory/432-93-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/432-90-0x0000000000BA0000-0x0000000000BC4000-memory.dmp

Filesize
144KB

Download
memory/476-114-0x000007FEBDD00000-0x000007FEBDD10000-memory.dmp

Filesize
64KB

Download
memory/476-115-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/476-112-0x0000000000160000-0x000000000018B000-memory.dmp

Filesize
172KB

Download
memory/492-102-0x000007FEBDD00000-0x000007FEBDD10000-memory.dmp

Filesize
64KB

Download
memory/492-103-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/492-101-0x0000000000080000-0x00000000000AB000-memory.dmp

Filesize
172KB

Download
memory/500-138-0x000007FEBDD00000-0x000007FEBDD10000-memory.dmp

Filesize
64KB

Download
memory/500-139-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/500-133-0x0000000000840000-0x000000000086B000-memory.dmp

Filesize
172KB

Download
memory/740-136-0x0000000037AE0000-0x0000000037AF0000-memory.dmp

Filesize
64KB

Download
memory/740-134-0x0000000001420000-0x000000000144B000-memory.dmp

Filesize
172KB

Download
memory/740-135-0x000007FEBDD00000-0x000007FEBDD10000-memory.dmp

Filesize
64KB

Download
memory/772-82-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/772-83-0x0000000077AA0000-0x0000000077C49000-memory.dmp

Filesize
1.7MB

Download
memory/772-80-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/772-78-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/772-79-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/772-84-0x0000000077980000-0x0000000077A9F000-memory.dmp

Filesize
1.1MB

Download
memory/772-85-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/772-77-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/2456-355-0x0000000019FC0000-0x000000001A2A2000-memory.dmp

Filesize
2.9MB

Download
memory/2456-356-0x0000000000A10000-0x0000000000A18000-memory.dmp

Filesize
32KB

Download
memory/2760-29-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2884-75-0x00000000029E0000-0x00000000029E8000-memory.dmp

Filesize
32KB

Download
memory/2884-74-0x000000001B430000-0x000000001B712000-memory.dmp

Filesize
2.9MB

Download