Analysis

  • max time kernel
    100s
  • max time network
    100s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    20/01/2025, 22:36

General

  • Target

    data-Setup.7z

  • Size

    116.3MB

  • MD5

    3152ed0815d3eb095c6e9c8469d99b77

  • SHA1

    addf193abcafc1d6099b787ae7be873c79b4f365

  • SHA256

    b99fa29a917eb26f7dd60427f9d4e261e95e06354e570b0e7f7c759672b9ebe7

  • SHA512

    b7eae4d1cd9c6c3edce37f2601e1f3528689d459c1780558a17ccaa770d189f6413f6b51105dac595d3afb9d95a28c24b7e5a7d0bdcdfd3cb1788fe672e918b4

  • SSDEEP

    3145728:+bjzx3kP0uuE0SWwn8lkUXljGeHS4RG9MGbVOKHntLCJCIXrd:Yz9kP0ut0Pwno1jGeySG9JVgJCIXrd

Malware Config

Extracted

Language
ps1
Source
URLs
ps1.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

exe.dropper

https://micfriosogprodnorthghostcom.top/kjgkjlKLkjfjkrhjHRGHKLNMREJGHKJnlGKL3454345BFJKKJnVBEKERJKRGEGREGRGERGERWBFDGGBTfgfbergsc4334ggd/lice

Extracted

Family

vidar

Botnet

fc0stn

C2

https://t.me/w0ctzn

https://steamcommunity.com/profiles/76561199817305251

Attributes
  • user_agent

    Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Vidar family
  • Blocklisted process makes network request 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 2 IoCs
  • Modifies registry class 29 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SendNotifyMessage 11 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:3572
    • C:\Program Files\7-Zip\7zFM.exe
      "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\data-Setup.7z"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:3816
    • C:\Users\Admin\Desktop\data-Setup\Setup.exe
      "C:\Users\Admin\Desktop\data-Setup\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\Desktop\data-Setup\data\extract_and_run.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Users\Admin\Desktop\data-Setup\data\7za.exe
          7za.exe e bin.zip -pYOUR_PASSWORD -oextracted_10798
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4072
        • C:\Windows\system32\timeout.exe
          timeout /t 2
          4⤵
          • Delays execution with timeout.exe
          PID:3448
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K "extracted_10798\sss.bat"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:4300
          • C:\Windows\system32\net.exe
            net session
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1476
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 session
              6⤵
                PID:1956
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Admin\Desktop\data-Setup\data\extracted_10798\script.ps1"
              5⤵
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4924
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\'"
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:4444
              • C:\Users\Admin\AppData\Roaming\JEHQLI9D.exe
                "C:\Users\Admin\AppData\Roaming\JEHQLI9D.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1636
                • C:\Users\Admin\AppData\Roaming\JEHQLI9D.exe
                  "C:\Users\Admin\AppData\Roaming\JEHQLI9D.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  PID:4536
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1636 -s 824
                  7⤵
                  • Program crash
                  PID:1016
              • C:\Users\Admin\AppData\Roaming\EJRB2QN5.exe
                "C:\Users\Admin\AppData\Roaming\EJRB2QN5.exe"
                6⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4776
          • C:\Windows\system32\timeout.exe
            timeout /t 2
            4⤵
            • Delays execution with timeout.exe
            PID:812
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1636 -ip 1636
        1⤵
          PID:1936
        • C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
          "C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
          1⤵
          • Suspicious use of SetWindowsHookEx
          PID:4648
        • C:\Windows\System32\SecurityHealthHost.exe
          C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
          1⤵
            PID:1016
          • C:\Windows\System32\SecurityHealthHost.exe
            C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
            1⤵
              PID:896

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

              Filesize

              3KB

              MD5

              3eb3833f769dd890afc295b977eab4b4

              SHA1

              e857649b037939602c72ad003e5d3698695f436f

              SHA256

              c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

              SHA512

              c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Filesize

              1KB

              MD5

              df6406cd9dd08d4c3a98406429014919

              SHA1

              0ee31fc0cf7e3869eb129ddb0beec3c986f98679

              SHA256

              b2f9eb7ce9315eb0df084d113846b6ddbecf5aa5a69e502ff2d705690e5a14a6

              SHA512

              942c718b4faa8d96ea12c48411cf4d79edf528e582f77e13d03a0775e6b7544b7f72cfa226b649bb6354fd82287bbe6afa9ca723c0a1ddff3bfb5facf30e6d45

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wb51cb5b.azb.ps1

              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            • C:\Users\Admin\AppData\Roaming\EJRB2QN5.exe

              Filesize

              75KB

              MD5

              d13676d884225dd662b6789ec20c145e

              SHA1

              b3858094c110eda769715c5367163b04849d2d7f

              SHA256

              a3e36e02d09862c67f41684c729456d8437cfe0ae31ce791e72602632135fdfa

              SHA512

              906bc0de46831730f65d5ca7534e7ae3a6655058f70624b57ba4cce553f82fd7537277af40fe5866615bf4507e9a852594f74b7ab03ad8967f1bbaa82a159d39

            • C:\Users\Admin\AppData\Roaming\JEHQLI9D.exe

              Filesize

              397KB

              MD5

              4dc8411aa4571161e5f6bc4e96ddb094

              SHA1

              6252ab9adc1cf93d2918ff6286f936958e7e6a22

              SHA256

              1df05a570b28509499093d3a23a9af6127bc1edf4866b6cc8dc3152484922891

              SHA512

              07700d830029cd4f078d6d6f02598d24bdc8db07e07d6251c1ac75580ee67c31f27296ba18b7cb54b2b197ac7c5c1e55830c7e9a30d961d45b5591266697afae

            • C:\Users\Admin\Desktop\data-Setup\Setup.exe

              Filesize

              44KB

              MD5

              f86507ff0856923a8686d869bbd0aa55

              SHA1

              d561b9cdbba69fdafb08af428033c4aa506802f8

              SHA256

              94f4fd6f2cb781ae7839ad2ee0322df732c8c7297e62834457662f8cde29dcbb

              SHA512

              6c1c073fc09498407b2c6b46d7a7e04c2db3c6f8d68c0dc0775211864c4508c48c2bd92e3849dc3805caacc856f9e31e1eea118661a55f526bfa61638f88c3da

            • C:\Users\Admin\Desktop\data-Setup\data\7za.exe

              Filesize

              828KB

              MD5

              426ccb645e50a3143811cfa0e42e2ba6

              SHA1

              3c17e212a5fdf25847bc895460f55819bf48b11d

              SHA256

              cf878bfbd9ed93dc551ac038aff8a8bba4c935ddf8d48e62122bddfdb3e08567

              SHA512

              1ab13e8e6e0ca4ca2039f104d53a5286c4196e930319c4fe374fa3bf415214bb7c7d2a9d8ca677a29c911a356cca19a1cecae16dd4bf840bce725f20de4c8ff2

            • C:\Users\Admin\Desktop\data-Setup\data\bin

              Filesize

              1KB

              MD5

              21489353fdeeb875137d1a4f63695edc

              SHA1

              c002d1a161e1912f6de52af4fb90cc3cfe4e1a01

              SHA256

              382acdf2a33e5c09d9c679997bdbc1c9d0cd1a2abd903846c66a55517aa9ce00

              SHA512

              57a5abacbf69c21c3c836185df1ca4a319226c71d1d4101189e4cedaf5475fad1101a7c75d35bc1e2b2b59f40104de6f7d06e4cd114d948cc829e7c509e96034

            • C:\Users\Admin\Desktop\data-Setup\data\extract_and_run.bat

              Filesize

              952B

              MD5

              fae61599308bbc78cae99ebdcb666f43

              SHA1

              de0a1d2344b09b29b1040bd4904f604a47a6d8c6

              SHA256

              f65af4a3d9d7f4464de4f7c136122f548c3b662a389e569d842be7e3a60d7863

              SHA512

              8e3d8d8ed97e65acd719d60624fa5c5506696e6fbbad5b0466748cccc24832e130bdf584fe0ce55f14628c68ca0a602310f7cb964cd38cf56735a6c64e4ddbf3

            • C:\Users\Admin\Desktop\data-Setup\data\extracted_10798\script.ps1

              Filesize

              2KB

              MD5

              d11c3a63c5ba659b5fe7b5534cb03df5

              SHA1

              d08b1e6af9e5c66454236e5ba64e4c3659db4c47

              SHA256

              02fba22cf32e907760e64c7e4bc4803e2b5395a7eef2091f3f0c9c103aaa3187

              SHA512

              a62a807f7ec5ca51ae392f10b68f3b6a326ae596ee2fdd4da662e58662142d5842d8e8abf1f7a84aba85ef2b067803733301b769024ae8c7bc3ce625c485b4ec

            • C:\Users\Admin\Desktop\data-Setup\data\extracted_10798\sss.bat

              Filesize

              405B

              MD5

              9ca3883fd45a5a455e64704ac6151ac9

              SHA1

              e7f89032ce544253a51020d7e894f6919fc35839

              SHA256

              c981688479756c987d6207e5804ed2b97fb50dfc80469309646c3f79d5ed05b4

              SHA512

              e5746faaae0680f68295db94f3865a7ec56663553d7401f996cce18bdc67ade23aef10c81018da28992e82a8178dc8a567b5b355479c7ceedfb87e46be9efa5a

            • C:\Users\Admin\Desktop\data-Setup\mapistub.dll

              Filesize

              218KB

              MD5

              19f2358e19e6216a1c869fd86cd38df6

              SHA1

              ec475b62bd4162615509ed1bf597b670392965e6

              SHA256

              fc67d0ecb73cc51baa0f0f1e2a13fc18d8a9bdfca6f5ffaedd61d2c2eb9cb864

              SHA512

              c009f5a2a917cd3a4159ac895d0621b433e73997c87cbf50a80e43d55a743aec7ba0681c29066e35afc25c1fa60c6f5a7257c9b6667f8e13722e314e75e0dd48

            • memory/1636-345-0x0000000000CD0000-0x0000000000D38000-memory.dmp

              Filesize

              416KB

            • memory/1636-346-0x0000000005BC0000-0x0000000006166000-memory.dmp

              Filesize

              5.6MB

            • memory/3572-371-0x00007FF6B0870000-0x00007FF6B08B5000-memory.dmp

              Filesize

              276KB

            • memory/4536-350-0x0000000000400000-0x0000000000460000-memory.dmp

              Filesize

              384KB

            • memory/4536-348-0x0000000000400000-0x0000000000460000-memory.dmp

              Filesize

              384KB

            • memory/4776-367-0x00007FF6B0870000-0x00007FF6B08B4000-memory.dmp

              Filesize

              272KB

            • memory/4776-373-0x00007FF6B0870000-0x00007FF6B08B4000-memory.dmp

              Filesize

              272KB

            • memory/4924-314-0x000001E26F930000-0x000001E26F952000-memory.dmp

              Filesize

              136KB