Analysis
-
max time kernel
103s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
23-05-2022 17:19
Static task
static1
Behavioral task
behavioral1
Sample
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe
Resource
win7-20220414-en
General
-
Target
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe
-
Size
3.6MB
-
MD5
697576793e02be59d60a0ba2a59bbc8d
-
SHA1
3d8e38dfb94cf336c4a31e03e4ccd8bc4983bae5
-
SHA256
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f
-
SHA512
1f065f44a4be0ac4b41efd51e26d19dd56001ad9969d4191ff5f1d70059d77dcd21eb01d09b5bc27461e19545a90c877fce5222fe9aea40c38dc1347aab117ea
Malware Config
Extracted
vidar
9.4
231
http://prohomedevelopers.com/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1628-66-0x0000000000400000-0x00000000009C5000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1628 busshost.exe 996 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exeWerFault.exepid process 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe 1632 WerFault.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exedescription ioc process File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1632 996 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exebusshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
busshost.exepid process 1628 busshost.exe 1628 busshost.exe 1628 busshost.exe 1628 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 996 YTLoader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exeYTLoader.exedescription pid process target process PID 780 wrote to memory of 1628 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe busshost.exe PID 780 wrote to memory of 1628 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe busshost.exe PID 780 wrote to memory of 1628 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe busshost.exe PID 780 wrote to memory of 1628 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe busshost.exe PID 780 wrote to memory of 996 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe YTLoader.exe PID 780 wrote to memory of 996 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe YTLoader.exe PID 780 wrote to memory of 996 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe YTLoader.exe PID 780 wrote to memory of 996 780 01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe YTLoader.exe PID 996 wrote to memory of 1632 996 YTLoader.exe WerFault.exe PID 996 wrote to memory of 1632 996 YTLoader.exe WerFault.exe PID 996 wrote to memory of 1632 996 YTLoader.exe WerFault.exe PID 996 wrote to memory of 1632 996 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe"C:\Users\Admin\AppData\Local\Temp\01ecb8e12553c49e1e31a7246653b6131289f22f44f0deb7097afb39ff46af9f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 11883⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
927KB
MD541e889d85b10720ae552caae2b62279c
SHA1ca427f8f0bed8fcd608784193ad5304bc0ac8232
SHA2564e6ad1e300803b75a210f20ddf00056932c476e9df8117111ed2ae65a533bb01
SHA5125065def5be672c2884d24e090bc1a0c439ca3708933249cc66e95d08dd8636f1061b7cd845cd824020d6727d730f19f89f4d69d14a7150fcae87f182bb8bc66e
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
927KB
MD541e889d85b10720ae552caae2b62279c
SHA1ca427f8f0bed8fcd608784193ad5304bc0ac8232
SHA2564e6ad1e300803b75a210f20ddf00056932c476e9df8117111ed2ae65a533bb01
SHA5125065def5be672c2884d24e090bc1a0c439ca3708933249cc66e95d08dd8636f1061b7cd845cd824020d6727d730f19f89f4d69d14a7150fcae87f182bb8bc66e
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
927KB
MD541e889d85b10720ae552caae2b62279c
SHA1ca427f8f0bed8fcd608784193ad5304bc0ac8232
SHA2564e6ad1e300803b75a210f20ddf00056932c476e9df8117111ed2ae65a533bb01
SHA5125065def5be672c2884d24e090bc1a0c439ca3708933249cc66e95d08dd8636f1061b7cd845cd824020d6727d730f19f89f4d69d14a7150fcae87f182bb8bc66e
-
memory/780-54-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/996-73-0x0000000000630000-0x000000000063A000-memory.dmpFilesize
40KB
-
memory/996-78-0x00000000006D0000-0x00000000006D8000-memory.dmpFilesize
32KB
-
memory/996-71-0x0000000000430000-0x0000000000440000-memory.dmpFilesize
64KB
-
memory/996-72-0x0000000000440000-0x000000000044A000-memory.dmpFilesize
40KB
-
memory/996-68-0x00000000003B0000-0x00000000003BA000-memory.dmpFilesize
40KB
-
memory/996-74-0x0000000000690000-0x000000000069A000-memory.dmpFilesize
40KB
-
memory/996-75-0x00000000006A0000-0x00000000006A8000-memory.dmpFilesize
32KB
-
memory/996-76-0x00000000006B0000-0x00000000006BE000-memory.dmpFilesize
56KB
-
memory/996-77-0x00000000006C0000-0x00000000006C8000-memory.dmpFilesize
32KB
-
memory/996-70-0x0000000005280000-0x00000000056DA000-memory.dmpFilesize
4.4MB
-
memory/996-79-0x0000000000CE0000-0x0000000000CE8000-memory.dmpFilesize
32KB
-
memory/996-80-0x0000000000CF0000-0x0000000000CF8000-memory.dmpFilesize
32KB
-
memory/996-81-0x0000000000D50000-0x0000000000D58000-memory.dmpFilesize
32KB
-
memory/996-82-0x0000000000D60000-0x0000000000D68000-memory.dmpFilesize
32KB
-
memory/996-60-0x0000000000000000-mapping.dmp
-
memory/996-67-0x0000000000F10000-0x0000000001218000-memory.dmpFilesize
3.0MB
-
memory/1628-66-0x0000000000400000-0x00000000009C5000-memory.dmpFilesize
5.8MB
-
memory/1628-65-0x00000000009D0000-0x0000000000AD0000-memory.dmpFilesize
1024KB
-
memory/1628-57-0x0000000000000000-mapping.dmp
-
memory/1632-83-0x0000000000000000-mapping.dmp