Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 21:26
General
-
Target
trigger.ps1
-
Size
1021B
-
MD5
6ef2f9449166c05acc12dbfcceaeb206
-
SHA1
400ccd98d4cf1a1384421ce863aa1de9d7ae371c
-
SHA256
33b832ed5ea4802a7dd24baf59f5b1380e2ce20b2739cca89b6f2f0e1c6f9da3
-
SHA512
f843aaf898a8e3b59f61dd06f1b397c77a97417502f1a0a312a77568592ed397011dad1e95ec50f6c55099d352d02d472c91b701e2c8793c05a2d9f25a589b53
Malware Config
Signatures
-
Detect Vidar Stealer 4 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 6 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 43 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\trigger.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0g5va0km\0g5va0km.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8676.tmp" "c:\Users\Admin\AppData\Local\Temp\0g5va0km\CSC71A21E7244BE49C1A6BD95BFEA29D187.TMP"3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\eklzgxbq.wdm.exe"C:\Users\Admin\AppData\Local\Temp\eklzgxbq.wdm.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Earning Earning.cmd & Earning.cmd3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 1393084⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Frame" Ron4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Brochure + ..\Divine + ..\Surgery + ..\Posting j4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\139308\Procedures.comProcedures.com j4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\139308\Procedures.com" & rd /s /q "C:\ProgramData\8GDTRQIMYUSR" & exit5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 106⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 54⤵
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD506008ca06137907a20550c5628ea68d3
SHA16b07c31946be0b5567d32b309d433ad00607b93f
SHA256e8ab64994c8c0660ed6cf7035226cb1f2f5ed2f5912d59cc805895be765a06e7
SHA5121739eb88f635e6898ea6773d69308bd7b3022e6a325bac8acc85176e6a5b1592fda19c7b0a7412bf06bcd51e6b0a5938de8a22ec6c0ceced628eb0ba5b79ae02
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
267KB
MD5ee15ad7483051c844b95dd14cb16b4ca
SHA13e0e0db838b650d6f1302aa4cb6f3b7cc736ebde
SHA256aa221b76b3c00adfb49bed18cdf4095a304a4fb468eafd590f347552f37799bf
SHA512a6bca037dd588b0522dc5a2a9e04c91cb68fc9122715964baf8e483fddc683acd921b7dc3f293c5bbf920d01f38cf9269e4ebe9f807f6982853e2ef16df7b40e
-
Filesize
93KB
MD56c1aee29bd7f5710593402d1c6fc2142
SHA11cc5943734cc2fc1d7bbc488e97f821239a3e3b9
SHA256b869f6b200abff5542721f7ccdc87bb01cdbc31102956dcaa7e46c552d5b982e
SHA5122561bec7c1391347d7bde38c344a98ecd64764733f6b39ec702a96ad9cd9b140795dfebab9b944db7ccdf08b6dc63c58665f6263e7d546e8ae336f36ee43a46a
-
Filesize
53KB
MD503a413e3c0f468a8daff75c079a6e00e
SHA19ff241ce3b86aa1aac24f308c92c723b267a3a7f
SHA25628ef2ef007a8f2fa7648edd51c6fbbeeb98725f5d6450900a4735ad228a3903f
SHA5120486e660afe95510b4398a7d099eb20bac1487925e8042acb7495ffdb760b635c49f8af781f3e0dd2531198af35260d14b00f109a41ce21aa92f5b186f12c47d
-
Filesize
102KB
MD5130cd154679f29a6f3cad6e427478683
SHA16f5696ed43c2220b49405c4fd58abec781e14508
SHA2569384137a3d8cc870b9d283225a60759fece3d27cf3162e36f506480bce06e51d
SHA512ba3780d03de2eab88d16d319167f7a9a74eb1bfa1ba4e9181e582c0b9c715a8c5e3183f709e79326839a9d5650ca72d849b0f0ed1f213c504f75d350513e5f7a
-
Filesize
80KB
MD5ff2ce214d200d352c7d04800b152bc2e
SHA1988ef81e6a0f7571b52686341931162430ba6261
SHA256311655e9c9bf8035f60d9e762c3c95d264232bfd96855e793402a5b5f4d5a13a
SHA5129cb2a6ab541eb7bc96b7e4b15da21456eeeda8d9c8ab01bd84c794d46c632f0d2aaca480516f8d0a527afb253ae196e7b5b54338bbf07f5145b912a4a6c3dfcd
-
Filesize
123KB
MD5208acef2dfc4e230b25b4b4a0673ffe1
SHA18d09b32a1be8ebe1f8695653aa50c1fed4ab20c5
SHA256152d7ccb9a28b79d9c29077330ed61c34bad168c4b0bacbe16907d90a2046a65
SHA5120dc461b583727b831bbd51a5b1822fe160caae07a46313f17d2957056d623c8ca103b3a47278c42f0ede5c148d3717e065f6bb3ccfeb5e151272dab91e0fbae1
-
Filesize
13KB
MD51b6aca105b86401bf6a8206ab2ed2604
SHA14ec6822b90eeac4ed23b1b199b6c1ac235601ada
SHA2561c68da14f6314db369b3a2a9e1bc2023f2e16f34b21d1f4c239511495473b183
SHA512a163ad3005a74ada8480f4ce6aeee1692a487ffc4266530ab2f14f7f5b3b1cdad0e26f2fee895b0f16c0a9b42c08f2608af3d8ad41e84a914b9e7aab48177b07
-
Filesize
70KB
MD5ba176db7e9de7450c412a1c571937169
SHA101718d40f54e5340e876e0c8cd15bc4b9c3cff11
SHA2561929af35c1cca40411bbf3c6bc4ff1416fa4971d2eab01e4b3ca9d82bc78fd50
SHA512d572131b71c8f652abfc0f2dc9adec3045f21c3d14466579a9b9c9eeacbd1b492bf64225f34be336799519fda43650d004d3abec29f861e460472fb0815ffd3b
-
Filesize
107KB
MD5ebafafe47265312cc96968bb58945199
SHA14628bb988c420cceac163e069a082987a2a508e4
SHA2569c0ce1e70af52572d22685f85e9f2d75eb9d4c1ce8e82ea71c4a644b9e0927ba
SHA51248827473e4259133ae2e759287770592b08b30349cb855fe67620e170efdd9566ffae1fb96ec6c2b1bb1c7fa9257566661c7e208a81cce4daf9b78e3d44f96a6
-
Filesize
55KB
MD504915e6efc00606817e44b785e0fc040
SHA1972c805fd5532bd87f0f754f39026fe975f82596
SHA256176cdbdb7708ce1f761af3eb1f33b66627b52d6c48be213c6596dbce68731f3a
SHA512411df77612fe79c83bfc826f7a922dde6cadc316a8084e4e63fcd4c191f165526f8f1f7ba973849cd8637a7224dafcf81c613519b5ce24b0d44695c3a3b300d4
-
Filesize
97KB
MD5f87e02324242f1ca95fedba37caa7f29
SHA10490816c97722e9d4da97985e67a7be8e2e4eb7a
SHA2566d089a79d61945744fdd931c131068b2e2acca8721df0d26d9d797957d88b0e0
SHA512dff322f1d33aefefaf00e1eb26d90b90a031820b97e5c6d90fe90259542ac2b75ff6a3e09f585b855dd2ae012760e3963aef35294b254e2560225cdb6617e06c
-
Filesize
69KB
MD5d1da746c6f362a9f5f7f1c85881d10db
SHA1bbc4e7309bb49662a7a6db1f783821b98c68c259
SHA2560ddd6ab68693cdea2f6b39fbb12328e3d41cc39dc4b9f40b7810149872caef20
SHA5120331c3e4f496e125ef6b0a2a84547dc172302ff75e137e83dc10ce9161afe3a64883bc6665560cc40620d07f18ce163b2bcfc68b3e3176af99f1804acf88f2da
-
Filesize
128KB
MD59c30e32ffce2aa493ef4238a2ba1fdaf
SHA1282d80b3d0481bd1facad68ee6ae344e4001122b
SHA25655e244354b1483fc405522d97ede1c752c6b8f288a17d4ff32cb410c6ed48404
SHA5128b17c56aab1eb5ac2aafac6f7c92cb9afc76daf409574c34ccb7c0d027e6705cd62510db35dfe1aab60da96130d4b94de9450ba92911323042cde548b596e2b9
-
Filesize
34KB
MD594a5a552efe142146e3a98adebc6002f
SHA1018fd52a873deaf40d37ce5894c30492f90fad9d
SHA2562028cd9387ac54bbd6929857fc52d994531d7e2d05ab7d1ab5dd35b06ee44d52
SHA51252076d5003172b51e35c9d2fe85d65d3b18e377f6dcd0eb47dd4a91cd44ceb1bc187ceca84dce32fb39676a247da3c280e57b6f3e1e40fe21dafa37c3ccb605d
-
Filesize
1KB
MD5d122ada7738a1f3c58af5ecba9bae27f
SHA1671c2f86bc58a7f6cc3a0ebcfb52729c4bc87ccd
SHA256d577dc32e7dc178f58e2a79204fcc73f042c332328ff22aa56fd7c6c9b4e8a5b
SHA512a00180d6a3feef68cf68009f729d46d1baee25df35286af285264ac59a6759235e3eb8e727f58371ffc48ab4901398a048d18e55fba2501dbc6cb39ebd4ac41f
-
Filesize
2KB
MD53072f9007a0ec1d4f38505c4053581f4
SHA1c6b7fafc0fff4e0bd8e11281fa2871edffb6e60b
SHA2560a48e97f5221173353bc56e28ba0bfe5d9037dc71dd0df6b0647e6b8c7d104bc
SHA5124c9260fa5027f13df6e563ffc8d8a639c0ae05a41a3e72968c802cfa9f4f00ed6c314764851b83309944dca2ce8917e678f9cd6e122eb239248fa89da2c2fddd
-
Filesize
60KB
MD59d729fa7dcc31dd7e20873436d29fde4
SHA106ad28e52c9f7e09d0fd264c42a03c779aaaaa03
SHA25664263c0ce8db87f1ccea789d3fd14abbc170e2f787e2ff5eda987bd53101233b
SHA512a652af0baecc03b2cf5d8098a59cf55da35111c8b70a8b5788fd7d005d4ab612bf43c81ab7d10ff3898a917a00948c4700cff93d7e72227ba6583c9118c7b69a
-
Filesize
118KB
MD5e88a09fd9d9939bb263a692f5c2ac5bf
SHA150afe54c82c2754a011b6002fc42060686e22055
SHA256b896ca8a3f7d9ef0d96b8193bfa66edbae86bba71ae05123e50bfe858cd02f66
SHA512089f5f5406df18921865c385f52c3bf3750f6e0b479b47b3e4b7be68362ea0af963002221bd872c890f058896d8cd2c71b6a89e14047c6928aef5271e3fed4c2
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD51b31c291993985499cf544cc549e9028
SHA1068d213d11e48f8dda5d90a96512b8101f29ad9e
SHA256f8615202ee1e9ccb7509f98c643b7bd6e01e439c57b78fd547cf96fd27ec5a47
SHA512e60267556172f46e5d59a44bd60edc2639b6b26282ebb5615099bbd0cb2a3d7429b66fda1a7d02fb17f00c898fe3d289b7adcf73d51f139f3d87cd7e34388302
-
Filesize
648B
MD58539b6708ddc98df3a1cd74954dc89bd
SHA1a69c850c26e8ecd62a3dc997164d4c92617fa40d
SHA2560b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d
SHA512c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa
-
Filesize
369B
MD5195732dd3bd42b536bd70f6da4eb22d1
SHA138ddc4025e591c13e5e6cb510c75b0f4f812395c
SHA2569705aa8a8861e9006fc3fdf673ccda4409d06162aac39ec1112da1af96e1acea
SHA512a3cceed130284d39105ce4996b4a8205f68fc3998fa057c809d5c9b1ddb4a36287b5a3731f74a1c0a832dc3bfd025305da79d8f056a7919ea39f0391021d8d1d
-
Filesize
652B
MD5b6964100be0840a566b95daa7822853d
SHA19902b0103f23b5ea429d3e52cec76c64853e885a
SHA256bf3a061db903554dbc37547b8d081e23f2986183a8912e360afdf28b6fcc0652
SHA512a7c15abc113e6e3f1b6e1c44f7d7a826a59da90334379e82dbbff57010bf0d3d6fbb6b0585fab5a931acc3054b4c4ee9ee66a973d20fc5552fb0828deffa0d2a
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
32KB
-
Filesize
10.8MB
-
Filesize
1.8MB
-
Filesize
10.8MB
-
Filesize
320KB
-
Filesize
712KB