Analysis
-
max time kernel
136s -
max time network
158s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
16-05-2021 03:02
Static task
static1
Behavioral task
behavioral1
Sample
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe
Resource
win7v20210408
General
-
Target
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe
-
Size
3.6MB
-
MD5
3906b7977437ba0d985277e8e6354e83
-
SHA1
7e26f58ad5d912f7b548840cce75ece0d7616311
-
SHA256
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996
-
SHA512
8bf3a5222881f1fef271e8240f1a53de01f694e7656b9857955aadae425ab6272a5952f0e98119fccab8df142830b2afa18acbc212ced00fab089bc55e516875
Malware Config
Extracted
vidar
9.3
231
https://photoshopsarte.com
-
profile_id
231
Signatures
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1936-72-0x0000000000400000-0x0000000000591000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1936 busshost.exe 1756 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exeWerFault.exepid process 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1804 1756 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exebusshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
WerFault.exebusshost.exepid process 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe 1804 WerFault.exe 1936 busshost.exe 1936 busshost.exe 1936 busshost.exe 1936 busshost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
WerFault.exepid process 1804 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
YTLoader.exeWerFault.exedescription pid process Token: SeDebugPrivilege 1756 YTLoader.exe Token: SeDebugPrivilege 1804 WerFault.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exeYTLoader.exedescription pid process target process PID 1976 wrote to memory of 1936 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe busshost.exe PID 1976 wrote to memory of 1936 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe busshost.exe PID 1976 wrote to memory of 1936 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe busshost.exe PID 1976 wrote to memory of 1936 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe busshost.exe PID 1976 wrote to memory of 1756 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe YTLoader.exe PID 1976 wrote to memory of 1756 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe YTLoader.exe PID 1976 wrote to memory of 1756 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe YTLoader.exe PID 1976 wrote to memory of 1756 1976 ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe YTLoader.exe PID 1756 wrote to memory of 1804 1756 YTLoader.exe WerFault.exe PID 1756 wrote to memory of 1804 1756 YTLoader.exe WerFault.exe PID 1756 wrote to memory of 1804 1756 YTLoader.exe WerFault.exe PID 1756 wrote to memory of 1804 1756 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe"C:\Users\Admin\AppData\Local\Temp\ab84f8131f507e2ced9d2e3d7826e5b90ce9c939a44042f8adea37bf4734f996.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 10843⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeMD5
3b672054b72e6d21037a88a75772436b
SHA1a2a640122fe3fe5775788239e6d653de7b21bf17
SHA2560bb79d6a333b05abf87f42612396665de5eb4868c54b4b8c2f20034351c09a18
SHA512cf70168bbda17223f35ae65ddf4c0b98d9b1bb88f912d292085e18efd2e289a708c97c6f76e39aa653bf30f5e268c8544175d7418d228480972f09681af87343
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeMD5
adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeMD5
3b672054b72e6d21037a88a75772436b
SHA1a2a640122fe3fe5775788239e6d653de7b21bf17
SHA2560bb79d6a333b05abf87f42612396665de5eb4868c54b4b8c2f20034351c09a18
SHA512cf70168bbda17223f35ae65ddf4c0b98d9b1bb88f912d292085e18efd2e289a708c97c6f76e39aa653bf30f5e268c8544175d7418d228480972f09681af87343
-
\Program Files (x86)\LetsSee!\busshost.exeMD5
3b672054b72e6d21037a88a75772436b
SHA1a2a640122fe3fe5775788239e6d653de7b21bf17
SHA2560bb79d6a333b05abf87f42612396665de5eb4868c54b4b8c2f20034351c09a18
SHA512cf70168bbda17223f35ae65ddf4c0b98d9b1bb88f912d292085e18efd2e289a708c97c6f76e39aa653bf30f5e268c8544175d7418d228480972f09681af87343
-
memory/1756-78-0x00000000004F0000-0x00000000004F5000-memory.dmpFilesize
20KB
-
memory/1756-84-0x0000000000830000-0x0000000000831000-memory.dmpFilesize
4KB
-
memory/1756-75-0x0000000005170000-0x00000000055C5000-memory.dmpFilesize
4.3MB
-
memory/1756-76-0x0000000000450000-0x0000000000459000-memory.dmpFilesize
36KB
-
memory/1756-77-0x00000000004E0000-0x00000000004E5000-memory.dmpFilesize
20KB
-
memory/1756-67-0x0000000000000000-mapping.dmp
-
memory/1756-79-0x0000000000510000-0x0000000000511000-memory.dmpFilesize
4KB
-
memory/1756-80-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/1756-81-0x0000000000570000-0x0000000000578000-memory.dmpFilesize
32KB
-
memory/1756-82-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/1756-83-0x0000000000590000-0x0000000000591000-memory.dmpFilesize
4KB
-
memory/1756-74-0x0000000000230000-0x0000000000234000-memory.dmpFilesize
16KB
-
memory/1756-85-0x0000000000840000-0x0000000000841000-memory.dmpFilesize
4KB
-
memory/1756-86-0x0000000000860000-0x0000000000861000-memory.dmpFilesize
4KB
-
memory/1756-87-0x0000000000870000-0x0000000000871000-memory.dmpFilesize
4KB
-
memory/1756-70-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/1756-73-0x0000000000AD0000-0x0000000000AD1000-memory.dmpFilesize
4KB
-
memory/1804-88-0x0000000000000000-mapping.dmp
-
memory/1804-94-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1936-72-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/1936-63-0x0000000000000000-mapping.dmp
-
memory/1976-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmpFilesize
8KB