Analysis
-
max time kernel
148s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 21:28
Static task
static1
Behavioral task
behavioral1
Sample
Unlock_App_v1.4.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Password.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Unlock_App_v1.4.rar
Resource
win10v2004-20241007-en
General
-
Target
Unlock_App_v1.4.zip
-
Size
48.5MB
-
MD5
7738962779addcb18be893d7391c773f
-
SHA1
52800ded6d35c8cd08d09275ec6063dc0907e271
-
SHA256
4d4a01682b584c5b9602087b43b0b6bc06e5b1f137dd1207b94e42862877467d
-
SHA512
c6c37df53bce0776680f957b0215bf2609129540ed2d0a9992da9558c0b7da75ecdcd6721dc928cd5f3a82af996d901d11824368dfc9a9689dc369142b677fbe
-
SSDEEP
1572864:ieHpjJ0gJDfbz+jlxanXJTOkCNRa34d4r:ieD0gtWranXpgnfd6
Malware Config
Signatures
-
Detect Vidar Stealer 6 IoCs
resource yara_rule behavioral1/memory/3144-604-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/3144-606-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/3940-613-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/3144-618-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/3144-619-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 behavioral1/memory/3048-622-0x0000000000400000-0x0000000000639000-memory.dmp family_vidar_v7 -
Vidar family
-
Executes dropped EXE 4 IoCs
pid Process 400 Unlock_App_v1.4.exe 3144 Unlock_App_v1.4.exe 4492 Unlock_App_v1.4.exe 3940 Unlock_App_v1.4.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 400 set thread context of 3144 400 Unlock_App_v1.4.exe 122 PID 4492 set thread context of 3940 4492 Unlock_App_v1.4.exe 126 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_App_v1.4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Unlock_App_v1.4.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2728 timeout.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1284 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
description pid Process Token: SeRestorePrivilege 1284 7zFM.exe Token: 35 1284 7zFM.exe Token: SeSecurityPrivilege 1284 7zFM.exe Token: SeRestorePrivilege 2444 7zG.exe Token: 35 2444 7zG.exe Token: SeSecurityPrivilege 2444 7zG.exe Token: SeSecurityPrivilege 2444 7zG.exe Token: SeRestorePrivilege 3052 7zG.exe Token: 35 3052 7zG.exe Token: SeSecurityPrivilege 3052 7zG.exe Token: SeSecurityPrivilege 3052 7zG.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1284 7zFM.exe 1284 7zFM.exe 2444 7zG.exe 3052 7zG.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 400 wrote to memory of 3144 400 Unlock_App_v1.4.exe 122 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126 PID 4492 wrote to memory of 3940 4492 Unlock_App_v1.4.exe 126
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.zip"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1284
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:1664
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\" -spe -an -ai#7zMap17276:120:7zEvent170431⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2444
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\" -spe -an -ai#7zMap24237:120:7zEvent30911⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3052
-
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe" & rd /s /q "C:\ProgramData\EKNYUKXBA1NY" & exit3⤵PID:388
-
C:\Windows\SysWOW64\timeout.exetimeout /t 104⤵
- Delays execution with timeout.exe
PID:2728
-
-
-
-
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"2⤵
- Executes dropped EXE
PID:3940
-
-
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"1⤵PID:5068
-
C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"2⤵PID:3048
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
346B
MD5b63dd298b6021e71ac7c949c64a5de1a
SHA1a14bfe094f495d2bad685b85d1a6c682ae52f8ad
SHA2561c2473ef6dcd94e367b489b681bf2b092813d45557a0e8d4434fccae60339b18
SHA5129debb633d36ed5281cf61dcf44e3a98ae58450c666cec536d25379c28c9389003a71043372cde9d826c95297c73208fb89bba1828a12b93475cf86b0386505fa
-
Filesize
734B
MD5e192462f281446b5d1500d474fbacc4b
SHA15ed0044ac937193b78f9878ad7bac5c9ff7534ff
SHA256f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60
SHA512cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\08D577AB24CA21CC95C1A1FA74411F48
Filesize540B
MD5fc0b2bc2c7ab70d5e913eb01e0680c65
SHA1fdef608756aed0e14ea5e4307de8b813cfce7ec9
SHA256b8de865a0c7b74d79fac317b36ebaa780cba94b9b2162f1270a2fd0f4d4d70a1
SHA5121b69d62947ee514bcf7014ba7c9584e4d7c95d628413b457686ffe66fe1b2a194f1f54a5384ca12f7264ce66b6a78843b5802a691267809e25c9065bf0ab4aa5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5d78d63a36712476de4fbeafab698e155
SHA11d7906ce74a33e606b9380a5d7f07113f4e63208
SHA256f7cec53d77faf8564e75e5cf1721d461334f9546f191cd7c5e3e5cc2e793eddd
SHA512f41a0da3b9867443ee2ae4a0af6e06573ef9f5dc4a9de0194c2fd5895b8a9b92907a7c4a807a3fef58848d7cfca92fa53b9f240e674af468ccee808c3d88233a
-
Filesize
415KB
MD57e9bd2ed9d343747ad76bfe816f8e21f
SHA19ad478a70e4a9ec06d2618f1b162b42d50f13fbb
SHA256e1a2030fb0045d4db5b8d8c39fe02dad71e0d07891e428ca684f1083e849cdaf
SHA51248ef801bebed57bf36039464b505483416bafa3d776d84160eab6ec3b061345d9965c26546091e4dfadc433ebe45cc85a35cefb7367e0ce2c2aa7e36462ba434
-
Filesize
128KB
MD564d183ad524dfcd10a7c816fbca3333d
SHA15a180d5c1f42a0deaf475b7390755b3c0ecc951c
SHA2565a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a
SHA5123cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e