Analysis

  • max time kernel
    148s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 21:28

General

  • Target

    Unlock_App_v1.4.zip

  • Size

    48.5MB

  • MD5

    7738962779addcb18be893d7391c773f

  • SHA1

    52800ded6d35c8cd08d09275ec6063dc0907e271

  • SHA256

    4d4a01682b584c5b9602087b43b0b6bc06e5b1f137dd1207b94e42862877467d

  • SHA512

    c6c37df53bce0776680f957b0215bf2609129540ed2d0a9992da9558c0b7da75ecdcd6721dc928cd5f3a82af996d901d11824368dfc9a9689dc369142b677fbe

  • SSDEEP

    1572864:ieHpjJ0gJDfbz+jlxanXJTOkCNRa34d4r:ieD0gtWranXpgnfd6

Score
10/10

Malware Config

Signatures

  • Detect Vidar Stealer 6 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Unlock_App_v1.4.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1284
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2076
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
      1⤵
        PID:1664
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\" -spe -an -ai#7zMap17276:120:7zEvent17043
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:2444
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\" -spe -an -ai#7zMap24237:120:7zEvent3091
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3052
      • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
        "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:400
        • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
          "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3144
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe" & rd /s /q "C:\ProgramData\EKNYUKXBA1NY" & exit
            3⤵
              PID:388
              • C:\Windows\SysWOW64\timeout.exe
                timeout /t 10
                4⤵
                • Delays execution with timeout.exe
                PID:2728
        • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
          "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
          1⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:4492
          • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
            "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
            2⤵
            • Executes dropped EXE
            PID:3940
        • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
          "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
          1⤵
            PID:5068
            • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe
              "C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe"
              2⤵
                PID:3048

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\08D577AB24CA21CC95C1A1FA74411F48

              Filesize

              346B

              MD5

              b63dd298b6021e71ac7c949c64a5de1a

              SHA1

              a14bfe094f495d2bad685b85d1a6c682ae52f8ad

              SHA256

              1c2473ef6dcd94e367b489b681bf2b092813d45557a0e8d4434fccae60339b18

              SHA512

              9debb633d36ed5281cf61dcf44e3a98ae58450c666cec536d25379c28c9389003a71043372cde9d826c95297c73208fb89bba1828a12b93475cf86b0386505fa

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

              Filesize

              734B

              MD5

              e192462f281446b5d1500d474fbacc4b

              SHA1

              5ed0044ac937193b78f9878ad7bac5c9ff7534ff

              SHA256

              f1ba9f1b63c447682ebf9de956d0da2a027b1b779abef9522d347d3479139a60

              SHA512

              cc69a761a4e8e1d4bf6585aa8e3e5a7dfed610f540a6d43a288ebb35b16e669874ed5d2b06756ee4f30854f6465c84ee423502fc5b67ee9e7758a2dab41b31d3

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\08D577AB24CA21CC95C1A1FA74411F48

              Filesize

              540B

              MD5

              fc0b2bc2c7ab70d5e913eb01e0680c65

              SHA1

              fdef608756aed0e14ea5e4307de8b813cfce7ec9

              SHA256

              b8de865a0c7b74d79fac317b36ebaa780cba94b9b2162f1270a2fd0f4d4d70a1

              SHA512

              1b69d62947ee514bcf7014ba7c9584e4d7c95d628413b457686ffe66fe1b2a194f1f54a5384ca12f7264ce66b6a78843b5802a691267809e25c9065bf0ab4aa5

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

              Filesize

              192B

              MD5

              d78d63a36712476de4fbeafab698e155

              SHA1

              1d7906ce74a33e606b9380a5d7f07113f4e63208

              SHA256

              f7cec53d77faf8564e75e5cf1721d461334f9546f191cd7c5e3e5cc2e793eddd

              SHA512

              f41a0da3b9867443ee2ae4a0af6e06573ef9f5dc4a9de0194c2fd5895b8a9b92907a7c4a807a3fef58848d7cfca92fa53b9f240e674af468ccee808c3d88233a

            • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\Unlock_App_v1.4.exe

              Filesize

              415KB

              MD5

              7e9bd2ed9d343747ad76bfe816f8e21f

              SHA1

              9ad478a70e4a9ec06d2618f1b162b42d50f13fbb

              SHA256

              e1a2030fb0045d4db5b8d8c39fe02dad71e0d07891e428ca684f1083e849cdaf

              SHA512

              48ef801bebed57bf36039464b505483416bafa3d776d84160eab6ec3b061345d9965c26546091e4dfadc433ebe45cc85a35cefb7367e0ce2c2aa7e36462ba434

            • C:\Users\Admin\Desktop\Unlock_App_v1.4\Unlock_App_v1.4\locales\resources\Data\level4.resS

              Filesize

              128KB

              MD5

              64d183ad524dfcd10a7c816fbca3333d

              SHA1

              5a180d5c1f42a0deaf475b7390755b3c0ecc951c

              SHA256

              5a666340f42f0f985772024d90a83d15c9a241a68d58205cd4afbb1a31f1621a

              SHA512

              3cab59dff09981f49d1070fba06a781439bb1ea2dae0cfcb937d9875bbe9e866be2c951cfc6a3ca4a92aea79dd3e9c4792a765f5a06f230a57dabcab2f0b3c1e

            • memory/3048-622-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB

            • memory/3144-604-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB

            • memory/3144-606-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB

            • memory/3144-618-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB

            • memory/3144-619-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB

            • memory/3940-613-0x0000000000400000-0x0000000000639000-memory.dmp

              Filesize

              2.2MB