Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-12-2024 08:36
Static task
static1
Behavioral task
behavioral1
Sample
f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe
Resource
win10v2004-20241007-en
General
-
Target
f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe
-
Size
878KB
-
MD5
c5f715f9eefa5e42fd10fc3b6e90953b
-
SHA1
92ae82a3ce9799e2af542597f9edb94c4ef1d6c5
-
SHA256
f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23
-
SHA512
1335f65b2019421b8fb1a706dba5dd33e3b2c43685d9b6f2bb8656c4097e1f7281358ad4d0ef87620fe2efa9ea5c00af10cba22e9c7a3c6f0049292518207175
-
SSDEEP
24576:S3BBt7zXHyaroKgT3yniH3Vn/WsNGJ2S5mFZIb8jJ61IHic:Eo9CniHl+sNu54gUKK
Malware Config
Signatures
-
Detect Vidar Stealer 4 IoCs
resource yara_rule behavioral2/memory/3416-660-0x0000000004AE0000-0x0000000004D19000-memory.dmp family_vidar_v7 behavioral2/memory/3416-659-0x0000000004AE0000-0x0000000004D19000-memory.dmp family_vidar_v7 behavioral2/memory/3416-667-0x0000000004AE0000-0x0000000004D19000-memory.dmp family_vidar_v7 behavioral2/memory/3416-668-0x0000000004AE0000-0x0000000004D19000-memory.dmp family_vidar_v7 -
Vidar family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation Miniature.com Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe -
Executes dropped EXE 1 IoCs
pid Process 3416 Miniature.com -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3692 tasklist.exe 216 tasklist.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\DenseCrisis f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe File opened for modification C:\Windows\BwBroadcasting f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miniature.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language findstr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Miniature.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Miniature.com -
Delays execution with timeout.exe 1 IoCs
pid Process 440 timeout.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3692 tasklist.exe Token: SeDebugPrivilege 216 tasklist.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3416 Miniature.com 3416 Miniature.com 3416 Miniature.com -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 1056 wrote to memory of 3620 1056 f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe 83 PID 1056 wrote to memory of 3620 1056 f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe 83 PID 1056 wrote to memory of 3620 1056 f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe 83 PID 3620 wrote to memory of 3692 3620 cmd.exe 86 PID 3620 wrote to memory of 3692 3620 cmd.exe 86 PID 3620 wrote to memory of 3692 3620 cmd.exe 86 PID 3620 wrote to memory of 4756 3620 cmd.exe 87 PID 3620 wrote to memory of 4756 3620 cmd.exe 87 PID 3620 wrote to memory of 4756 3620 cmd.exe 87 PID 3620 wrote to memory of 216 3620 cmd.exe 90 PID 3620 wrote to memory of 216 3620 cmd.exe 90 PID 3620 wrote to memory of 216 3620 cmd.exe 90 PID 3620 wrote to memory of 224 3620 cmd.exe 91 PID 3620 wrote to memory of 224 3620 cmd.exe 91 PID 3620 wrote to memory of 224 3620 cmd.exe 91 PID 3620 wrote to memory of 3448 3620 cmd.exe 92 PID 3620 wrote to memory of 3448 3620 cmd.exe 92 PID 3620 wrote to memory of 3448 3620 cmd.exe 92 PID 3620 wrote to memory of 4808 3620 cmd.exe 95 PID 3620 wrote to memory of 4808 3620 cmd.exe 95 PID 3620 wrote to memory of 4808 3620 cmd.exe 95 PID 3620 wrote to memory of 1892 3620 cmd.exe 96 PID 3620 wrote to memory of 1892 3620 cmd.exe 96 PID 3620 wrote to memory of 1892 3620 cmd.exe 96 PID 3620 wrote to memory of 3416 3620 cmd.exe 97 PID 3620 wrote to memory of 3416 3620 cmd.exe 97 PID 3620 wrote to memory of 3416 3620 cmd.exe 97 PID 3620 wrote to memory of 2404 3620 cmd.exe 98 PID 3620 wrote to memory of 2404 3620 cmd.exe 98 PID 3620 wrote to memory of 2404 3620 cmd.exe 98 PID 3416 wrote to memory of 2532 3416 Miniature.com 110 PID 3416 wrote to memory of 2532 3416 Miniature.com 110 PID 3416 wrote to memory of 2532 3416 Miniature.com 110 PID 2532 wrote to memory of 440 2532 cmd.exe 112 PID 2532 wrote to memory of 440 2532 cmd.exe 112 PID 2532 wrote to memory of 440 2532 cmd.exe 112
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe"C:\Users\Admin\AppData\Local\Temp\f5ad3ca6464635488824c3e5b6284ca263e7c6417ec854692d839a1c008d5e23.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Cotton Cotton.cmd & Cotton.cmd2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3692
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
PID:4756
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:216
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
PID:224
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3251143⤵
- System Location Discovery: System Language Discovery
PID:3448
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Grocery" Pink3⤵
- System Location Discovery: System Language Discovery
PID:4808
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Through + ..\Aspects + ..\Except + ..\Prevention d3⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\325114\Miniature.comMiniature.com d3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\325114\Miniature.com" & rd /s /q "C:\ProgramData\NGDBS0R1N7QQ" & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\timeout.exetimeout /t 105⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:440
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
PID:2404
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
265KB
MD57eaa8308bf78634e4835cdb7066a4894
SHA14bfb519762acafaa7aa31cbeac648486cd7af6d9
SHA2565cd338ece8613718913ea47a354c8d24131531a50c9077f03a647022fa90c18e
SHA5127c0b161753d56791106351697ca5024eaaa35da7751da27e925ee74fbb268b21cba68c0f2b478a1bb22c52bdc7104a585a2b93f2721042da8a9f7be55ae3ce3a
-
Filesize
80KB
MD59fe2a2b5ac024292bf68a6e7f7400fda
SHA19ca9e1409e99c73f3f3d8ef93cad8cba543cb68e
SHA256e77c369dc6ef2beb7cc9849ad7b6eccad28487ad2ae68539a4d2c8482ccf59e0
SHA5120957d995c6d22c9caced4d4acba3c27778c940256eb9895b457f91cc48c7313c17bc0018dded526253d0839110ec9589e9cc073738ea76419e8768208d70f580
-
Filesize
27KB
MD5c4b092e0a5c2288ca415eef4cc2cb6a8
SHA1f53ff9cb9f89fc6d4a8d0d8e6f66f51bfd8ebffc
SHA2564f6051de636c321c5b2ab1e5485ba9c4adf2d62585e37bd1d873e13d0e6099f7
SHA512d64c675e2d26af84b5b9583f9be21facd826f2f6432266605f3fc9953a441d6fb37753275dadf6921163fb69667f2971bed44044375391d6527d93d1dd349328
-
Filesize
137KB
MD5066b4d81397fca8067b90cf221f569a6
SHA18ad2b0ccd4019e1dbbc9cd43c500f7bce218da52
SHA2562552fc325d401db16547e234161954304e20dd0dee708e7cf4164496f2a94a25
SHA5122f3fcd5a625df9c19848817823c3d7f6516f1c7ab71b8bb0d6fb1e75eaddf56318748bb0ed3f36e5839798cfa2967c85ff5ab983b93b07733e5d873eb40a289b
-
Filesize
94KB
MD5dbf98f4c6b30e7b26b8c82cae3d4aea7
SHA124d908308072407fc60a770ecc207e078750056a
SHA2567529d80d2ec91b85984f38f11c932660c0b1d6da1cd101c610e6a9c223f870a7
SHA51283d01886d8860f569e19c79eade71c45c8ec1781901d64569038fccaf176f7bbdb2c273454a6d1941a0a39ccf0d4d6613280d7f91f799c0ab9ed6c579c8cf46e
-
Filesize
81KB
MD51ed3a8cf826f2fe26057e5a5560d55e9
SHA19bb6b9318de929c606d499fd462b7985d1f3abde
SHA2569f327ee277a42c7b9f6f59359e2d9c15ecde9a1b8d94bfb33ec5341e8fe2172d
SHA5124099c891aaa686a3e209cc9b4cbd33a7c2b85b4533cca305b7e3dad4136b5f4ce9486a92f6afffc129d1cd4ecf2b05807260a4e944ca85bc21cacef4a46b270c
-
Filesize
75KB
MD583eb2efe20ffca5ad15451d411a87a8d
SHA173a68411b137343e6e9e89507521f2cb7f8ab3e3
SHA2569983e7c4e2a85812a2290cf36202e28d48e7472cef8974065d86fbcef4e1d68d
SHA512048e0af2d6953533b27a2467f12ae1309d94914fb6f55d1f5ec0869196cf271e605d5e0e1d4fcb6d8891331ea036a266be426f943b9d4a8c7e0e8bd603f6210c
-
Filesize
108KB
MD5c7a2227bf20b4955a87f15fabf4c0e9b
SHA14eab1fd9a1e5ac680d74ef619b4a19535ff4f6fb
SHA256d9cecdc1f7fe97f8e7c7fe5a75791b90cf4762dd3562b64da585e6b93c602772
SHA5121eb7ef3731f2719c7e094df76c78e21d51da91b61969fe30b0589006f1fc0c2d068fb3fe069f232585788de7a8148bb611f2bc1d5abb1b54ca8eb1e3161aded6
-
Filesize
140KB
MD5d7c53d59bdbe13dbdc7530fbb4a36aad
SHA10b83abb5b72cb337c698026df48e43ce0951ac9c
SHA2563f93a7cd187bbe380a2612c491ee0be70c2ec5b616a33380a9fa393d9c557fef
SHA5129b16d8d3c7ccb9ff99628e4ca8a3cef7bdeb9607038cec0fbe0284b4e07e968d7e23de27a48e522389b575648b4c5f5cf4606e756a11f976597eab1b1d05ae33
-
Filesize
59KB
MD5c7169a5e146748c2794cc7a1fdf398ef
SHA1f53c8d146d9caf426b75add269494a6b889ebd6f
SHA25689bb730051174bb5cad7e412de93424f062a9db1bac5eff3314c72cba734464f
SHA51267292dd584995fcc25d4eee853b2d82cb695f0be1d515641a1bfec18535d09a4104abd793cea295e0462a905cf400472174c84e07fb03c08c7642134c35f2d40
-
Filesize
113KB
MD5360aa1e66e6b54f55870a854c57d17de
SHA1d1f4b1e951aeb774487983565f2eb7e1b320da49
SHA256badd5b966d1888801a484deca56cb13f37dac381038ee7fefeadbeb91e0184d6
SHA512084ecb5bd4816dc2ccd906b60ea85e332a7c6f5012c865c9801a7bd32032d0effb4f847a7996c2c63e230bb16110844b78ae48d07376b5506fce6a0d1796e422
-
Filesize
2KB
MD5aba3cf6c366c78f24ca62c221c7cfe71
SHA11a5ea559822f4c546c8e18699d91b433af459032
SHA256b04a670272ca3de5d350f1d226a81096242838abcbb13e4d2d3b6b20fb08af46
SHA512f34715da13ffbb57a04c598517fe5b0bb2241982f5c6fdee428f1811d3f97bb875b02ae07a3d4478a5023c3bfa60c040bce66ddbe04c2c2363b9407d722915fd
-
Filesize
37KB
MD5b96d763ea6110aa1d3c64359938b44f7
SHA137d15b9a55c87f4c517fdfbadbd194188eb968da
SHA2565fe4a820a45fa2a264c6196d7abe33ba2b045fc38ee441eeca05d0ebe67f8ea4
SHA512a01b0e6ef1e6899189783331a597f7dc8ee3a89c19520b6fbadd6a018e3fb5a2f13e6c4341d2543805879c1712aa59fd94ea2901df6a18547d5c1acbebdb4c8a
-
Filesize
92KB
MD51ca1ec5f52e0566a26a5b08a8289bc4e
SHA1452123cdaf3c15a33d2b79c2c4fa593cb06bde07
SHA256f3abfe122d327bff9e86b7eec1b6458873e3e959cc3744471daad2b1cd6f89b9
SHA5129315113775ff4efe9c08e2845cf806cbe9f67db63051553bc7eefe71fc763615df955c2e7e9faaebf7f06f31b9c2c93408575dc460d0eb8bd46207e326c37f9b
-
Filesize
55KB
MD5ef6913c248ad6a006257f60c269d4da2
SHA1cdb931970c1db6d902e8bdd1c1594382f8b9163d
SHA256819a2226edea2e77621a308cd7f914e934e95b174888c20ad6d651286368b7fe
SHA512f9fca1ef5c7411c56dc6e495f18e404bbc1104af445baeddd3a8db0abf03b0337b72f2c3644aedc7d5293f9ad2d274db2a139cee7668d3d792d8d0991387c525
-
Filesize
54KB
MD5d926e95778eb9f36d2159d72fff165d1
SHA106361baa26a36bfce0d2474e6f17d7764e2b82cf
SHA256088427cee6743e6e79165cdc27c83eb9be81de9e0d9d8c47bcf31e87a320488e
SHA512133202d73cd2b007ce243b66073a3a0393f7da479062c88572652e30d4488ab2ce4eb8a2ff4f697fae0cf6b60fd96004ee0ef2da02c5db8653765f1b373057b2
-
Filesize
63KB
MD55d1bd27cce0d4269efe798e0af842995
SHA1b7415487a4f21361b39be2e9482e36ce8a7cded3
SHA2563309d29ad35af3fc0930fb1c33ed14b7dd7b6b9079faf2a241c87ef762d11ca4
SHA512a98425819b20a89236dcbd2d72b59fa6d1dca79e40e20ceb0134dfb7afc021c04e92fb978bd6b70b373589b47f95a956bc975aa73d50bfd234da4d2b39012ebf