Resubmissions
15-02-2025 17:48
250215-wdrvdswkfp 1015-02-2025 17:45
250215-wbsnxawnav 1014-02-2025 17:46
250214-wcq7gawkgz 1006-02-2025 16:53
250206-vec7yssnfk 10Analysis
-
max time kernel
162s -
max time network
165s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250211-en -
resource tags
-
submitted
15-02-2025 17:48
General
-
Target
Sid Meier's Civilization VII.exe
-
Size
683.9MB
-
MD5
3f40339bdf295a6f099dd097433c51c2
-
SHA1
54cbfa3105a4fb6c59d699083edad98b706bbad0
-
SHA256
48318511e386734e3540bf6898631d97a52ff3428dfb5eea001c218a133ca4ac
-
SHA512
88d08f9a59b922e34d24e1068debc37ff743585c3d8267c539d189b81d255e5fc6cae5ac27075a20719616623975d033ce425b153b9df5a8359698adff99273e
-
SSDEEP
98304:loE8pTFYNxOkXbP9RezM6XDkOt+tH8MQ/sksDYAFpU0jyak4/JjCc1:lhSGV63sNDV40fjC0
Malware Config
Extracted
vidar
https://t.me/cruadsummar
https://t.me/pullmeundervosk2
Signatures
-
Detect Vidar Stealer 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Downloads MZ/PE file 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 5 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sid Meier's Civilization VII.exe"C:\Users\Admin\AppData\Local\Temp\Sid Meier's Civilization VII.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzREODhEMUMtRDNGOS00OTEyLTk2NzktODg5OTlCREFGMTU5fSIgdXNlcmlkPSJ7RUFFRjAzMjUtQzMxOC00OTMwLTk4RkEtOTNFMDg0RjREMjRGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OTExMjI3N0YtRDYzRC00REU5LUE0MDktNEE4NUQzNkUwM0M5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM5MjY5OTk1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM3NDE5ODgwODMwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE3OTM3OTM0NyIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?LinkId=1297651⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0xe4,0x150,0x7ffadb8246f8,0x7ffadb824708,0x7ffadb8247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2992 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15213461115753920177,4928638861147329359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58186d0a678bf31304a00ed3db7807e13
SHA19b1c1d943257538324b8335525d5a05bbc1e700a
SHA25660e0c389ced869bc0d251d0976c07fe8a4b882e0ab3b83364b2f1b30ff1b8c2f
SHA512373968706a5982893a98e5c1b30a50aae2fe74ffc2fae07bdd2bfc9be1577ae53c19b7bd27fb49ab7551c3747efca19de334c573a24e6e571f55c833ff4ed02f
-
Filesize
120B
MD51e2a062346d6c75d21fabb38897072ad
SHA15febe61823cb08b5c690ed87b367463e61d80857
SHA256c62337fd2fca0615159ef1972c6560409d0845fe263e84f1b7da68399771f75c
SHA512aa6c676816029177c50d445f7f10c00811cc0465e9ca5020bc873b7960a12ff9483fd14d507bc4c3194f7ad151014d52b24b609069fb47bceb01194d45ce9c91
-
Filesize
483B
MD518e76fcd02f81aad85888adb4d4407bd
SHA16449254ca3bd1dfca5c3c2371190f8b39d82f837
SHA256a66f542940242c89caeaf8d31188133eb17a43f503a1dfab48a175b802e1787c
SHA5129ee3b2144cfbdf40565160974875f63aaa0559f53d1a39cd6fab4c6cb82159baa7d7a119f11470cf8abbb308d1777ee3204f4e53536ff1ae2ba9c0b9d3e1f05a
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD505742136ee6595d72bd9603a45a8d7ea
SHA136bc6184a1074730d29ad69590b9e56c1723ec71
SHA25622874cc226f1895cccaa583fd4a2885aa521cce26f6149099f18691715535c35
SHA51282a9f30c9bcf704702d8d6b42cd6973f356322c1575a7966bb0bd4caaa736ed3579a401990df53f3cdfe113d9aff645bba226c4cdd8b08d77825e973145bc956
-
Filesize
5KB
MD5757a1f5c8669575355def5e0e036e2cc
SHA129c732e7beb9b6680fad99418b044c3a3ab7c6bd
SHA256818b5e67584d24d32d232d03655835e585eda75943ae4cae11a6a4c9f5bd1b26
SHA51220a0ae5eca3cbd3bea4c708da53a6371d7abdd3e7fecf2f0f221bb4b3855ce1a6a074ce59649233d7bd112ee1d0fcd508d372b13cb165dc485f26ef070d8d4c0
-
Filesize
6KB
MD526fcd087e5dd5276ed9cfd3acca153cd
SHA154571f0abdb65ea6e985f343ecf72090bc9411f3
SHA256e3b5c638315a5f4a6b5b7b1b6b55e101d7161913d13b65dd407f02d3166804fe
SHA5128d825370fd99069c7a108323b2f3eaeb76b9290dac6b65547ff97c5b1891411d20301b8f65e241745abdc139ef77df5d4ed9e27168e966bc0d4b0d797c7d594f
-
Filesize
24KB
MD58cfd87b94fe08c765d79cb6f1910878b
SHA1fe4cf77b20a73e3b5a8370cce4f26fafb0236b9d
SHA2561723f32024f2ebae70bec7cefb2e807aa695076ef0ece7b5f448026f5e9695fa
SHA512ac015ba13b2e8a83d928a72714bc217d9bbd2164341368a08b2eea4816d6191635e35f8a35c93b0783e78210c30a948b7beee0db09cef8f5fe2164053b1479ad
-
Filesize
3KB
MD540780c863227e633bdf07f13704d9e30
SHA18179db95c7ed001a9e4d3afba1012988d762447e
SHA256f7f3658a87a95d6530eddc635cf8fb3c7372c4c6cc43fabfbe938035abcca491
SHA5120ecac69c2abdba3b21c10f8b70f2c213488012d31306366df92671ed4a58aa828986822988fdb437eb078892083013790c8b0df97824f9156e8c19d7470913da
-
Filesize
3KB
MD5b2cd8fe5682a0390519ce2fd9dda57cb
SHA1d6aec525ebe9a26a964b5aa0d5722b6b627496f1
SHA25642d4acee10a6d34c015b9b8cc9d1b2648fb2446564f0795071adfcbcba433e49
SHA51257fd5c9ded6a9ef82bd4b0df55354cd9a6267a95f61e50aae7607f2e65d563ccfba1e5abaa894d095418c6162c9592053dfe7602f004b1a0acc6f588d3b14907
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
136KB
-
Filesize
136KB