Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 14:24
General
-
Target
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe
-
Size
3.6MB
-
MD5
e7394690995419522d7a587a95f6d6ee
-
SHA1
5c7d416dc243b849f5cd129ee0a9bf95e2536902
-
SHA256
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec
-
SHA512
fe7536af694de5e4043f9bb087cfb7344d8bebf81cc21faef4b9877ef99426ff15da54fe320bb1c6fb8ca5450a5335429a1eba635afac8415563ea1ea66ca5c8
Malware Config
Extracted
vidar
9.5
231
http://bestpolandhotels.com/
-
profile_id
231
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 8 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe"C:\Users\Admin\AppData\Local\Temp\0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 11843⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
memory/1448-81-0x0000000000980000-0x000000000098A000-memory.dmpFilesize
40KB
-
memory/1448-87-0x0000000000A70000-0x0000000000A78000-memory.dmpFilesize
32KB
-
memory/1448-69-0x0000000071B90000-0x0000000072370000-memory.dmpFilesize
7.9MB
-
memory/1448-106-0x000000006F470000-0x000000006F56C000-memory.dmpFilesize
1008KB
-
memory/1448-71-0x0000000071790000-0x0000000071B83000-memory.dmpFilesize
3.9MB
-
memory/1448-72-0x0000000070BE0000-0x000000007178E000-memory.dmpFilesize
11.7MB
-
memory/1448-73-0x000000006F8D0000-0x0000000070BD7000-memory.dmpFilesize
19.0MB
-
memory/1448-74-0x0000000000380000-0x000000000038A000-memory.dmpFilesize
40KB
-
memory/1448-75-0x00000000744F0000-0x00000000746E4000-memory.dmpFilesize
2.0MB
-
memory/1448-77-0x000000006F470000-0x000000006F56C000-memory.dmpFilesize
1008KB
-
memory/1448-78-0x00000000051F0000-0x000000000564A000-memory.dmpFilesize
4.4MB
-
memory/1448-79-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/1448-80-0x000000006ED30000-0x000000006F46E000-memory.dmpFilesize
7.2MB
-
memory/1448-105-0x00000000744F0000-0x00000000746E4000-memory.dmpFilesize
2.0MB
-
memory/1448-82-0x0000000000990000-0x000000000099A000-memory.dmpFilesize
40KB
-
memory/1448-83-0x00000000009B0000-0x00000000009BA000-memory.dmpFilesize
40KB
-
memory/1448-84-0x0000000000A00000-0x0000000000A08000-memory.dmpFilesize
32KB
-
memory/1448-85-0x0000000000A50000-0x0000000000A5E000-memory.dmpFilesize
56KB
-
memory/1448-86-0x0000000000A60000-0x0000000000A68000-memory.dmpFilesize
32KB
-
memory/1448-68-0x0000000072370000-0x0000000072D80000-memory.dmpFilesize
10.1MB
-
memory/1448-88-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB
-
memory/1448-89-0x0000000000AD0000-0x0000000000AD8000-memory.dmpFilesize
32KB
-
memory/1448-90-0x0000000000B30000-0x0000000000B38000-memory.dmpFilesize
32KB
-
memory/1448-91-0x0000000000B40000-0x0000000000B48000-memory.dmpFilesize
32KB
-
memory/1448-92-0x0000000072D80000-0x000000007410F000-memory.dmpFilesize
19.6MB
-
memory/1448-104-0x000000006F8D0000-0x0000000070BD7000-memory.dmpFilesize
19.0MB
-
memory/1448-94-0x0000000072370000-0x0000000072D80000-memory.dmpFilesize
10.1MB
-
memory/1448-95-0x0000000071B90000-0x0000000072370000-memory.dmpFilesize
7.9MB
-
memory/1448-103-0x0000000070BE0000-0x000000007178E000-memory.dmpFilesize
11.7MB
-
memory/1448-102-0x0000000071790000-0x0000000071B83000-memory.dmpFilesize
3.9MB
-
memory/1448-66-0x0000000072D80000-0x000000007410F000-memory.dmpFilesize
19.6MB
-
memory/1448-65-0x0000000001280000-0x0000000001588000-memory.dmpFilesize
3.0MB
-
memory/1448-60-0x0000000000000000-mapping.dmp
-
memory/1528-96-0x0000000000000000-mapping.dmp
-
memory/1660-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1932-101-0x0000000000400000-0x00000000009BB000-memory.dmpFilesize
5.7MB
-
memory/1932-67-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/1932-93-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/1932-70-0x0000000000400000-0x00000000009BB000-memory.dmpFilesize
5.7MB
-
memory/1932-57-0x0000000000000000-mapping.dmp