Analysis
-
max time kernel
93s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-12-2024 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Video fragment of the movie script.exe
Resource
win7-20240903-en
General
-
Target
Video fragment of the movie script.exe
-
Size
86KB
-
MD5
3bd79a1f6d2ea0fddea3f8914b2a6a0c
-
SHA1
3ea3f44f81b3501e652b448a7dc33a8ee739772e
-
SHA256
332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51
-
SHA512
7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67
-
SSDEEP
1536:EU5EG5XI/6POYy6SAi11XFDwYVyjThxXeZBHl+YMk8iVbNuissy:95EG5XI/SOOQyYVF9l+DkvVp6
Malware Config
Signatures
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/3056-16-0x0000000000C00000-0x0000000000E46000-memory.dmp family_vidar_v7 behavioral2/memory/3056-21-0x0000000000C00000-0x0000000000E46000-memory.dmp family_vidar_v7 behavioral2/memory/3056-23-0x0000000000C00000-0x0000000000E46000-memory.dmp family_vidar_v7 behavioral2/memory/3056-24-0x0000000000C00000-0x0000000000E46000-memory.dmp family_vidar_v7 -
Vidar family
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2456 set thread context of 1448 2456 Video fragment of the movie script.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 5072 3056 WerFault.exe 92 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Video fragment of the movie script.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2456 Video fragment of the movie script.exe 2456 Video fragment of the movie script.exe 1448 cmd.exe 1448 cmd.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2456 Video fragment of the movie script.exe 1448 cmd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2456 wrote to memory of 1448 2456 Video fragment of the movie script.exe 82 PID 2456 wrote to memory of 1448 2456 Video fragment of the movie script.exe 82 PID 2456 wrote to memory of 1448 2456 Video fragment of the movie script.exe 82 PID 2456 wrote to memory of 1448 2456 Video fragment of the movie script.exe 82 PID 1448 wrote to memory of 3056 1448 cmd.exe 92 PID 1448 wrote to memory of 3056 1448 cmd.exe 92 PID 1448 wrote to memory of 3056 1448 cmd.exe 92 PID 1448 wrote to memory of 3056 1448 cmd.exe 92 PID 1448 wrote to memory of 3056 1448 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\Video fragment of the movie script.exe"C:\Users\Admin\AppData\Local\Temp\Video fragment of the movie script.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe3⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3056 -s 17164⤵
- Program crash
PID:5072
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3056 -ip 30561⤵PID:2840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
873KB
MD5da48194b47b597251539d448b331e920
SHA1f456a4719d77ce8cd58ac92e6f8e1c2d2dccc686
SHA2563adb1386c68ea11b6b281328ae4283ff28ff925dbd11587de7c43de5bc4e118d
SHA512a3527bbe9596d66dfe17ae0b1fa7a59613c6ba9d5a5aa483434e8ebed884b8348a8188069f0b8291d4e813c47e7981cace73c334c1000ed7d022dc209a0fe5f3