Analysis
-
max time kernel
118s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
30-05-2022 14:24
Static task
static1
Behavioral task
behavioral1
Sample
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe
Resource
win7-20220414-en
General
-
Target
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe
-
Size
3.6MB
-
MD5
e7394690995419522d7a587a95f6d6ee
-
SHA1
5c7d416dc243b849f5cd129ee0a9bf95e2536902
-
SHA256
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec
-
SHA512
fe7536af694de5e4043f9bb087cfb7344d8bebf81cc21faef4b9877ef99426ff15da54fe320bb1c6fb8ca5450a5335429a1eba635afac8415563ea1ea66ca5c8
Malware Config
Extracted
vidar
9.5
231
http://bestpolandhotels.com/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1932-70-0x0000000000400000-0x00000000009BB000-memory.dmp family_vidar behavioral1/memory/1932-101-0x0000000000400000-0x00000000009BB000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1932 busshost.exe 1448 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exeWerFault.exepid process 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe 1528 WerFault.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 7 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1528 1448 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
busshost.exeYTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
busshost.exepid process 1932 busshost.exe 1932 busshost.exe 1932 busshost.exe 1932 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 1448 YTLoader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exeYTLoader.exedescription pid process target process PID 1660 wrote to memory of 1932 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe busshost.exe PID 1660 wrote to memory of 1932 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe busshost.exe PID 1660 wrote to memory of 1932 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe busshost.exe PID 1660 wrote to memory of 1932 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe busshost.exe PID 1660 wrote to memory of 1448 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe YTLoader.exe PID 1660 wrote to memory of 1448 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe YTLoader.exe PID 1660 wrote to memory of 1448 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe YTLoader.exe PID 1660 wrote to memory of 1448 1660 0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe YTLoader.exe PID 1448 wrote to memory of 1528 1448 YTLoader.exe WerFault.exe PID 1448 wrote to memory of 1528 1448 YTLoader.exe WerFault.exe PID 1448 wrote to memory of 1528 1448 YTLoader.exe WerFault.exe PID 1448 wrote to memory of 1528 1448 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe"C:\Users\Admin\AppData\Local\Temp\0ab9b6dd58a54d3fbea62b35234ded2df36b335a86f9ad6fa29b9ae9250eb3ec.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1448 -s 11843⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
887KB
MD53dd19a7570a264b2862d0b4a54ad8b09
SHA1011f2b5357007afe0966f531ac23ae39ab2b161f
SHA256742f13a5a9e2289b6105faf3ea24f0524887d8090cf25051b50aff51fb02d372
SHA5123f1d5cd61cfa78193c852429c891fbad733a4816e050f1394cb14e673a6113a8a28370f7617a52fe356f2e4c3b0c0ba259b261e9a6d985f962d4700b05dfab0b
-
memory/1448-81-0x0000000000980000-0x000000000098A000-memory.dmpFilesize
40KB
-
memory/1448-87-0x0000000000A70000-0x0000000000A78000-memory.dmpFilesize
32KB
-
memory/1448-69-0x0000000071B90000-0x0000000072370000-memory.dmpFilesize
7.9MB
-
memory/1448-106-0x000000006F470000-0x000000006F56C000-memory.dmpFilesize
1008KB
-
memory/1448-71-0x0000000071790000-0x0000000071B83000-memory.dmpFilesize
3.9MB
-
memory/1448-72-0x0000000070BE0000-0x000000007178E000-memory.dmpFilesize
11.7MB
-
memory/1448-73-0x000000006F8D0000-0x0000000070BD7000-memory.dmpFilesize
19.0MB
-
memory/1448-74-0x0000000000380000-0x000000000038A000-memory.dmpFilesize
40KB
-
memory/1448-75-0x00000000744F0000-0x00000000746E4000-memory.dmpFilesize
2.0MB
-
memory/1448-77-0x000000006F470000-0x000000006F56C000-memory.dmpFilesize
1008KB
-
memory/1448-78-0x00000000051F0000-0x000000000564A000-memory.dmpFilesize
4.4MB
-
memory/1448-79-0x0000000000970000-0x0000000000980000-memory.dmpFilesize
64KB
-
memory/1448-80-0x000000006ED30000-0x000000006F46E000-memory.dmpFilesize
7.2MB
-
memory/1448-105-0x00000000744F0000-0x00000000746E4000-memory.dmpFilesize
2.0MB
-
memory/1448-82-0x0000000000990000-0x000000000099A000-memory.dmpFilesize
40KB
-
memory/1448-83-0x00000000009B0000-0x00000000009BA000-memory.dmpFilesize
40KB
-
memory/1448-84-0x0000000000A00000-0x0000000000A08000-memory.dmpFilesize
32KB
-
memory/1448-85-0x0000000000A50000-0x0000000000A5E000-memory.dmpFilesize
56KB
-
memory/1448-86-0x0000000000A60000-0x0000000000A68000-memory.dmpFilesize
32KB
-
memory/1448-68-0x0000000072370000-0x0000000072D80000-memory.dmpFilesize
10.1MB
-
memory/1448-88-0x0000000000A80000-0x0000000000A88000-memory.dmpFilesize
32KB
-
memory/1448-89-0x0000000000AD0000-0x0000000000AD8000-memory.dmpFilesize
32KB
-
memory/1448-90-0x0000000000B30000-0x0000000000B38000-memory.dmpFilesize
32KB
-
memory/1448-91-0x0000000000B40000-0x0000000000B48000-memory.dmpFilesize
32KB
-
memory/1448-92-0x0000000072D80000-0x000000007410F000-memory.dmpFilesize
19.6MB
-
memory/1448-104-0x000000006F8D0000-0x0000000070BD7000-memory.dmpFilesize
19.0MB
-
memory/1448-94-0x0000000072370000-0x0000000072D80000-memory.dmpFilesize
10.1MB
-
memory/1448-95-0x0000000071B90000-0x0000000072370000-memory.dmpFilesize
7.9MB
-
memory/1448-103-0x0000000070BE0000-0x000000007178E000-memory.dmpFilesize
11.7MB
-
memory/1448-102-0x0000000071790000-0x0000000071B83000-memory.dmpFilesize
3.9MB
-
memory/1448-66-0x0000000072D80000-0x000000007410F000-memory.dmpFilesize
19.6MB
-
memory/1448-65-0x0000000001280000-0x0000000001588000-memory.dmpFilesize
3.0MB
-
memory/1448-60-0x0000000000000000-mapping.dmp
-
memory/1528-96-0x0000000000000000-mapping.dmp
-
memory/1660-54-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1932-101-0x0000000000400000-0x00000000009BB000-memory.dmpFilesize
5.7MB
-
memory/1932-67-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/1932-93-0x0000000000300000-0x0000000000400000-memory.dmpFilesize
1024KB
-
memory/1932-70-0x0000000000400000-0x00000000009BB000-memory.dmpFilesize
5.7MB
-
memory/1932-57-0x0000000000000000-mapping.dmp