Analysis
-
max time kernel
298s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2025 20:53
Static task
static1
Behavioral task
behavioral1
Sample
file01.ps1
Resource
win10v2004-20241007-en
windows10-2004-x64
17 signatures
300 seconds
General
-
Target
file01.ps1
-
Size
35B
-
MD5
684c57981b5ed26047c34aee9a2453a1
-
SHA1
2e154e9c0e6abc9a2bc852aeb941fe5d3117fa3e
-
SHA256
20b3dc9a088153eb974afee08192cd0b78c96b847e5705cea818c50043c3bddf
-
SHA512
cca14c6add1e0dfed54e0fe425489bf430bcc438acf386fe4d68cf040fbe55e9997b0d85bcd8cca56e66721292497894b599c919f3af248b4a2ef8a1d112c51b
Malware Config
Extracted
Family
vidar
Botnet
fc0stn
C2
https://t.me/w0ctzn
https://steamcommunity.com/profiles/76561199817305251
Attributes
-
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0
Signatures
-
Vidar family
-
Blocklisted process makes network request 2 IoCs
flow pid Process 8 4992 powershell.exe 17 4992 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4000 updater.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4000 set thread context of 3560 4000 updater.exe 93 -
pid Process 4992 powershell.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language updater.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BitLockerToGo.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ powershell.exe Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4992 powershell.exe 4992 powershell.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2032 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4992 powershell.exe Token: SeDebugPrivilege 2032 taskmgr.exe Token: SeSystemProfilePrivilege 2032 taskmgr.exe Token: SeCreateGlobalPrivilege 2032 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe 2032 taskmgr.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4000 4992 powershell.exe 90 PID 4992 wrote to memory of 4000 4992 powershell.exe 90 PID 4992 wrote to memory of 4000 4992 powershell.exe 90 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93 PID 4000 wrote to memory of 3560 4000 updater.exe 93
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file01.ps11⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\0bb1bdfc-7beb-4f26-bf01-f36f9108ba4d\updater.exe"C:\Users\Admin\AppData\Local\0bb1bdfc-7beb-4f26-bf01-f36f9108ba4d\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3560
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2032
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:756
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD52a7ec240fa5e25c92b2b78c4f1002ea0
SHA1bca1465b8bafa5fe58d96d4289356d40c3d44155
SHA2562c973057cbbe0d9836f477281a06b51c6ce009c5ac7683f4255743e7d01ca9ca
SHA512dba36379cd0532301193b25ffc4c9b74406efc08ca2d2ce0fec06c115abdde2ab0409bfda1f8bf85ce50764a59503ab0d5b1efbbd641b4caec1dde910d220df3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82