Analysis

  • max time kernel
    94s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-12-2024 02:26

General

  • Target

    f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78.exe

  • Size

    1.1MB

  • MD5

    7bc8c8c16081e8d9cebcce0d93bc5f8d

  • SHA1

    948d3349e7fc284fe648098d85ba7341258847f3

  • SHA256

    f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78

  • SHA512

    2a5fc41f2d958cb52466808ee664cef9f559c972bf029424a3936e1391c94213f38d18779297473cdd09bf90f83d5fa53ed05a8fca3e3b5e56e3d8cfe3608379

  • SSDEEP

    24576:znylYik3Jygua29LaP9r4ASTVSpe/E+oo+9c1K:7ylYi4wguaguVLyoEN+9c1K

Malware Config

Signatures

  • Detect Vidar Stealer 4 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78.exe
    "C:\Users\Admin\AppData\Local\Temp\f144e645673a830c564b7d50b6b1660767a488059874b2a60a47b8d098bcfc78.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4456
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c move Jam Jam.cmd & Jam.cmd
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4012
      • C:\Windows\SysWOW64\findstr.exe
        findstr /I "opssvc wrsa"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1564
      • C:\Windows\SysWOW64\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
      • C:\Windows\SysWOW64\findstr.exe
        findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3660
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c md 523266
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3172
      • C:\Windows\SysWOW64\findstr.exe
        findstr /V "landing" Ca
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5032
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c copy /b ..\Existing + ..\Lower + ..\Wants + ..\Elvis + ..\Distribution x
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4876
      • C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com
        Relationship.com x
        3⤵
        • Checks computer location settings
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5028
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com" & rd /s /q "C:\ProgramData\YUS2NOH47GV3" & exit
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5104
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 10
            5⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:4172
      • C:\Windows\SysWOW64\choice.exe
        choice /d y /t 5
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2424

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\523266\Relationship.com

    Filesize

    925KB

    MD5

    62d09f076e6e0240548c2f837536a46a

    SHA1

    26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

    SHA256

    1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

    SHA512

    32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

  • C:\Users\Admin\AppData\Local\Temp\523266\x

    Filesize

    285KB

    MD5

    f4eaef20d7cb249c38bd71e18beb5c75

    SHA1

    d61cac3b42d1eb9d6aaf2ac579fa7dfb1d8d5df5

    SHA256

    128aae5ca769c545558de704b2da34ff4b3a0f9a1c8637d108a4bc68235c3691

    SHA512

    d2ece85d86b64ff9ae2ba3992621773fcc9069ce8b4855d6d75727d594587dd96df64d307b5f77ba9382dbc4675729eb9330b60db3ecc651f0a0dd9bd470673d

  • C:\Users\Admin\AppData\Local\Temp\Altered

    Filesize

    97KB

    MD5

    041e0a2909f73d050592ee44b6206aee

    SHA1

    eef9934e108cb1f535ce0931c38da705f99f38d2

    SHA256

    40a2e1bb4e06f36bbe8e447a73337b0f1bef79aaf290bdbd363a051f361efe36

    SHA512

    cb2ef1260fc75b1ca77289f9e581a303d2d461b3886d2ec70afbef16b8cc1b6a6ba3eb009edfc24df1eace7e2a59638cf381eea5351f90abde68fcfae2ed3a27

  • C:\Users\Admin\AppData\Local\Temp\Ca

    Filesize

    1KB

    MD5

    e9fbb8fac667c2932e012ce1462f1d67

    SHA1

    2ea8bd2feb443cefb68b4ea8508fb1924666392b

    SHA256

    17029a8d3933139b442077a90799f7880770dce3143b3f27dc6299e526a04aaf

    SHA512

    b5aca0065b6c41a12b9d3b5a468c0aae2ac743d9c0f9d65efc04059e084b9a3f461356e4130feca3d16ea854724986e97f66dbdfdfe5080b8f45ee809dbe9a16

  • C:\Users\Admin\AppData\Local\Temp\Distribution

    Filesize

    21KB

    MD5

    4f7dc35d83aba1debdf610f61d8354eb

    SHA1

    e096c018e27a56df92597717547f70af75d0b37d

    SHA256

    c60fbe3c4a9eca49b48022e6a2e7ba5d6ab52d70ee1366efd34ccba539604543

    SHA512

    fcf46720f70eb6ad76de262790ba4590b10ef1cc62a010384a459ebe3511b59feeff2351cde0b32718ba37fae3bb13c4ffe51153bf345e36a3edfd27909da4da

  • C:\Users\Admin\AppData\Local\Temp\Dsc

    Filesize

    66KB

    MD5

    7444be6fdc34510517b96b373bce699b

    SHA1

    7f31a4dd2ff289ce6be7be3ba634ab918e3a4fb9

    SHA256

    eae9ef63f97f313e74b78fa687dad66d00df8c8ee3663e5d093727bf92c35e47

    SHA512

    08ba0324adfa33c8d547bb0e8d6f107ee331c0f5fdea67f4a1cf70c0324298429f3d2fbf88d2b0361c6b11134bfaf6e84924f3167a63a8acf7b6d9420628b198

  • C:\Users\Admin\AppData\Local\Temp\Elvis

    Filesize

    60KB

    MD5

    203eaa7c046a7e5c616d72bb500e2525

    SHA1

    f1b8e88e05e2562e148e0b085f01d99735751524

    SHA256

    5f5ee058b13874af192318d6f69881b90ac6feee483b5d0f7055fd9546d1ba94

    SHA512

    19facf262754aafd90c5a042de45bbdd4a5315f7dc58a08350d9ed39c83268eef709a0f168c7215d2197ac358832b75451c4ef70fe73a29bc2638ca8442bad47

  • C:\Users\Admin\AppData\Local\Temp\Existing

    Filesize

    67KB

    MD5

    8f4decd2a4d2d05ffddb7c403561f346

    SHA1

    385ca964d82c77f9624c165c73503f1b7e412155

    SHA256

    391d54bef0b972cf5b3bf134e6c29867a3d30d373679bf06459205dc93feb385

    SHA512

    26f012c839a091523a1884619ef14bb32efacfb0343810a2618f4dbd358083a574900a121c835874d812212a56618753c9aabedf146ef222e455d51b0583d573

  • C:\Users\Admin\AppData\Local\Temp\Faculty

    Filesize

    80KB

    MD5

    850e2f7751488b7087a56a61ae9bef77

    SHA1

    a45e63501b937bd51456a9ef9e603408f6d118f9

    SHA256

    49c3959766700e0b397f4bb14244d9cc4fb507c8bb81b6cc0f26cdc2d86f1667

    SHA512

    dc1053c1eb545d9e44e4dc26444177a6e88df242cd689b5a367e6f056b2bf8703c7c5fdcfe940ac815480e9bbfa5bd03b306143933bbc64176e015e1090e7b38

  • C:\Users\Admin\AppData\Local\Temp\Futures

    Filesize

    49KB

    MD5

    fd222d640240e593c8281b3215992584

    SHA1

    859f45468121ef32e0140677aa29ad637013b92b

    SHA256

    e0f37347ed8b26155463bfcf98abc04ddf1f582c33012eba1dca1baecaab122c

    SHA512

    396a8d613e14e75dd3e760980f039071f5bcd3fef17e3868377a5581bc507f6c27dd438d5ada3520c8b668d37e86df74f16dfba52acad68a0a758cad9c1f2255

  • C:\Users\Admin\AppData\Local\Temp\Gnu

    Filesize

    149KB

    MD5

    2750ceab03bda7ec977660e2e5ed1378

    SHA1

    f28a4057f2580af4c97ecc4e4fcfdce9d86918db

    SHA256

    0226268d6fe7bbf21b21c2a3a117d26f949526f68faa425d1d03b6689436ee43

    SHA512

    782722385d5eca881c366df968126d6b49601b470e9ab2a3f762053b7910520e8982dfedecc98f764e8f9f10f8e45b5b542b11d9f6477949ef97df2449be5dc3

  • C:\Users\Admin\AppData\Local\Temp\Jam

    Filesize

    29KB

    MD5

    af14f57478cfdfecf403381bd9e816d0

    SHA1

    652001844758ef461a0fac5a1ba9097b0291d473

    SHA256

    f18f8e672dc1f8ebbee1294cc79ceea9c03c90e39101868cacfcc6b2648610bc

    SHA512

    b0879b3b25b2b75ea31438b1c9fecd2972d4f39e6b90cb8c3338ea395db54f01d9db7b4fb1b57ffd230a8f9a1562f057679db2927cee90bb8d6e0087b9de7375

  • C:\Users\Admin\AppData\Local\Temp\Lower

    Filesize

    60KB

    MD5

    b6df230011af1d7f8415b0b5969c2f4a

    SHA1

    48ed82745e2fdeb446fcc0b81add5a4530eddfd7

    SHA256

    141acb51a175b6e2acec3455b4d7eab19779e11dda14a5d4e82a63c7a2f817c7

    SHA512

    5999389bcb4993a2a4e5745d6a5005345c58fced90b9d93eb5fd3e71d6987e858b2f47bcac1ba7876c93b06d1a5f4be7c6fdc85f03264711e0c99d229317cfa8

  • C:\Users\Admin\AppData\Local\Temp\Sap

    Filesize

    122KB

    MD5

    7cdf29f1ad43ed80fd3bf9f2bcf8e448

    SHA1

    bc126782fc727c0efd0ca2f03ed7106ade3d4fa9

    SHA256

    6753e389e6c641ffc5f06ee46b9dd7d65201a77bc687e5f584b26ea56fbf5748

    SHA512

    47ed86eaaadb8a121653a2c8415b6099f8ac88b588065674afa3bac96eee6c70c026fc1c74aa4a014bf539a8e243f7eb5cad94226926fbb3a5d5be5e46bc72bf

  • C:\Users\Admin\AppData\Local\Temp\Screens

    Filesize

    103KB

    MD5

    093e44e1daaa29e32f2711283167ad8b

    SHA1

    3be29aad7a16048f09d3a190eecb2567be10c838

    SHA256

    e6c6cc8b34f76878305c6bdb16dcd61a99efdd1b3bcd25bfaaf5c6f585d79843

    SHA512

    4f642e0aca001d1be656408c20e6f00f00c59f5b966b4894dc01793dcb0ede0cd38099c990420d7238f14a0202c1a8213136d740fb22a74688cfcf379bfc6385

  • C:\Users\Admin\AppData\Local\Temp\Travelling

    Filesize

    142KB

    MD5

    6cc42a5bca76f09bf28289009427aff5

    SHA1

    9b4b6dd644cf82b80a025b4dedabd8406f9b3b31

    SHA256

    cacabeb6d49ca732cf5532ff4918eea4dadf67dec277c42d37bba32bbf2986e3

    SHA512

    846bf07f4f0ed2563c8a2ef96fa9efd493ed54d07d49a36d0ba1ebee16865346bf8ab3c819ff86a3c27db023037515cf5374bddf7fb80636390dd1bad3495534

  • C:\Users\Admin\AppData\Local\Temp\Unfortunately

    Filesize

    115KB

    MD5

    bfcc32c058927fd6f1dc7d49432245b6

    SHA1

    37fd77f925a236217709a62634fb91507c1ce1ad

    SHA256

    92d6b2c91ae61ad4eb755f32dab99833f2c0d46bc43144dfa78f79fde79814b6

    SHA512

    d24883bb0a214e8e8713a0f08a3e95a80bf3a30ab67b81bced538f810aad24a04fd3f858fdc1cd0099770e326b7274a28c0d7aaadb07245b4d3e343a97af1466

  • C:\Users\Admin\AppData\Local\Temp\Wants

    Filesize

    77KB

    MD5

    a41adc03a819c861eb3371c8df26fe8b

    SHA1

    188dd98ebb43308a18b8cc7946b6117eee295b38

    SHA256

    166243c65693a04d65270f05c6d3636ea99cc84b47b479714c18d5b5bfb22cbb

    SHA512

    2f8cec765de46a607283e4f9da77aa1d9f59fe8840013a69fd9007457ecda48447db06a01a9084c53e8c185501f6fa54c4cd80148002a3d4f8394a374d7b0dd4

  • memory/5028-42-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-40-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-41-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-43-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-45-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-44-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-52-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB

  • memory/5028-53-0x0000000000610000-0x0000000000849000-memory.dmp

    Filesize

    2.2MB