Overview

overview

10

Static

static

2716e1c86f...7f.exe

windows7_x64

10

2716e1c86f...7f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    87s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    16-06-2022 06:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe

  • Size

    4.3MB

  • MD5

    52bb850d63e79db32342238cb2277bc8

  • SHA1

    233fbda8e5e7506aa57253f40f66b2b5ea99642b

  • SHA256

    2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f

  • SHA512

    9da46e25517815b6d586f899e9374b53826799b89b988af44137c19cec5ea2b9a65b79e99cffa093471e1c5bedecc580b10f1a2824940cb79b9241a0c2f57a0c

Score
10/10
vidar231discoveryspywarestealersuricata

Malware Config

Extracted

Family

vidar

Version

10.1

Botnet

231

C2

http://tribecaflatstore.com/

Attributes
  • profile_id

    231

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern

    suricata
  • Vidar Stealer 2 IoCs
    stealer
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads local data of messenger clients 2 TTPs

    Infostealers often target stored data of messaging applications, which can include saved credentials and account information.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe
    "C:\Users\Admin\AppData\Local\Temp\2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1344
    • C:\Program Files (x86)\LetsSee!\busshost.exe
      "C:\Program Files (x86)\LetsSee!\busshost.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      PID:4344
    • C:\Program Files (x86)\LetsSee!\YTLoader.exe
      "C:\Program Files (x86)\LetsSee!\YTLoader.exe"
      2⤵
      • Executes dropped EXE
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1300
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 1588
        3⤵
        • Program crash
        PID:1268
    • C:\Program Files (x86)\LetsSee!\conf.exe
      "C:\Program Files (x86)\LetsSee!\conf.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
        C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
        3⤵
        • Executes dropped EXE
        PID:3924
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c SchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe
          4⤵
            PID:3672
            • C:\Windows\SysWOW64\schtasks.exe
              SchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe
              5⤵
              • Creates scheduled task(s)
              PID:380
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c SchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe
            4⤵
              PID:3824
              • C:\Windows\SysWOW64\schtasks.exe
                SchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe
                5⤵
                • Creates scheduled task(s)
                PID:4004
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /k ping -n 2 localhost < nul & del /F /Q "C:\Program Files (x86)\LetsSee!\conf.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4008
            • C:\Windows\SysWOW64\PING.EXE
              ping -n 2 localhost
              4⤵
              • Runs ping.exe
              PID:4596
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 1004
            3⤵
            • Program crash
            PID:1964
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2508 -ip 2508
        1⤵
          PID:1940
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1300 -ip 1300
          1⤵
            PID:4624

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Scheduled Task

          1
          T1053

          Persistence

          Scheduled Task

          1
          T1053

          Privilege Escalation

          Scheduled Task

          1
          T1053

          Defense Evasion

          Credential Access

          Credentials in Files

          4
          T1081

          Discovery

          Query Registry

          4
          T1012

          System Information Discovery

          4
          T1082

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Data from Local System

          4
          T1005

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\LetsSee!\YTLoader.exe
            Filesize

            3.0MB

            MD5

            adc9db2753fa3daa6a8156254ba2a5f1

            SHA1

            50ff27e2e1c4acc35768b93b73c03f7630027f04

            SHA256

            f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde

            SHA512

            5f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195

            Download Submit
          • C:\Program Files (x86)\LetsSee!\YTLoader.exe
            Filesize

            3.0MB

            MD5

            adc9db2753fa3daa6a8156254ba2a5f1

            SHA1

            50ff27e2e1c4acc35768b93b73c03f7630027f04

            SHA256

            f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde

            SHA512

            5f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195

            Download Submit
          • C:\Program Files (x86)\LetsSee!\busshost.exe
            Filesize

            691KB

            MD5

            2701035edc9e95fd6cb11c577d3539aa

            SHA1

            5425c5fa5b27eb1b13f6cd70fa2c65c10cdea797

            SHA256

            7620d8b06fecc8874b8dbe32ffc36631b07a93a8ada85d67efef08c371e8f763

            SHA512

            dd31653cc8b965f1da80163ca3b4a41b9777220f4f4f9b08d015e6d7f1e9947fb64816c4f5f448b9db268bf814b7da54dba6140c5cac7a1d418f0ff28b9619cf

            Download Submit
          • C:\Program Files (x86)\LetsSee!\busshost.exe
            Filesize

            691KB

            MD5

            2701035edc9e95fd6cb11c577d3539aa

            SHA1

            5425c5fa5b27eb1b13f6cd70fa2c65c10cdea797

            SHA256

            7620d8b06fecc8874b8dbe32ffc36631b07a93a8ada85d67efef08c371e8f763

            SHA512

            dd31653cc8b965f1da80163ca3b4a41b9777220f4f4f9b08d015e6d7f1e9947fb64816c4f5f448b9db268bf814b7da54dba6140c5cac7a1d418f0ff28b9619cf

            Download Submit
          • C:\Program Files (x86)\LetsSee!\conf.exe
            Filesize

            1013KB

            MD5

            cb8bb9ea2ac2203f4161bc5e866ea915

            SHA1

            6a03b7d688e120f69df13a63e69a0bf032324adb

            SHA256

            a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027

            SHA512

            b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268

            Download Submit
          • C:\Program Files (x86)\LetsSee!\conf.exe
            Filesize

            1013KB

            MD5

            cb8bb9ea2ac2203f4161bc5e866ea915

            SHA1

            6a03b7d688e120f69df13a63e69a0bf032324adb

            SHA256

            a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027

            SHA512

            b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
            Filesize

            1013KB

            MD5

            cb8bb9ea2ac2203f4161bc5e866ea915

            SHA1

            6a03b7d688e120f69df13a63e69a0bf032324adb

            SHA256

            a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027

            SHA512

            b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268

            Download Submit
          • C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe
            Filesize

            1013KB

            MD5

            cb8bb9ea2ac2203f4161bc5e866ea915

            SHA1

            6a03b7d688e120f69df13a63e69a0bf032324adb

            SHA256

            a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027

            SHA512

            b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268

            Download Submit
          • memory/380-162-0x0000000000000000-mapping.dmp
            Download
          • memory/1300-149-0x0000000005150000-0x0000000005158000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-151-0x0000000005170000-0x0000000005178000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-133-0x0000000000000000-mapping.dmp
            Download
          • memory/1300-140-0x00000000052E0000-0x00000000052E8000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-138-0x00000000004A0000-0x00000000007A8000-memory.dmp
            Filesize

            3.0MB

            Download
          • memory/1300-145-0x0000000005110000-0x0000000005118000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-146-0x0000000005120000-0x0000000005128000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-139-0x00000000052D0000-0x00000000052DA000-memory.dmp
            Filesize

            40KB

            Download
          • memory/1300-148-0x0000000005130000-0x0000000005138000-memory.dmp
            Filesize

            32KB

            Download
          • memory/1300-150-0x0000000005160000-0x0000000005168000-memory.dmp
            Filesize

            32KB

            Download
          • memory/2508-143-0x0000000005950000-0x00000000059E5000-memory.dmp
            Filesize

            596KB

            Download
          • memory/2508-156-0x0000000000400000-0x000000000535D000-memory.dmp
            Filesize

            79.4MB

            Download
          • memory/2508-158-0x0000000005950000-0x00000000059E5000-memory.dmp
            Filesize

            596KB

            Download
          • memory/2508-135-0x0000000000000000-mapping.dmp
            Download
          • memory/3672-161-0x0000000000000000-mapping.dmp
            Download
          • memory/3824-160-0x0000000000000000-mapping.dmp
            Download
          • memory/3924-152-0x0000000000000000-mapping.dmp
            Download
          • memory/3924-167-0x0000000000400000-0x000000000535D000-memory.dmp
            Filesize

            79.4MB

            Download
          • memory/3924-166-0x0000000000400000-0x000000000535D000-memory.dmp
            Filesize

            79.4MB

            Download
          • memory/3924-165-0x00000000059EB000-0x0000000005A80000-memory.dmp
            Filesize

            596KB

            Download
          • memory/4004-163-0x0000000000000000-mapping.dmp
            Download
          • memory/4008-155-0x0000000000000000-mapping.dmp
            Download
          • memory/4344-154-0x0000000000400000-0x000000000530D000-memory.dmp
            Filesize

            79.1MB

            Download
          • memory/4344-142-0x0000000005890000-0x0000000005990000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/4344-164-0x0000000000400000-0x000000000530D000-memory.dmp
            Filesize

            79.1MB

            Download
          • memory/4344-130-0x0000000000000000-mapping.dmp
            Download
          • memory/4344-144-0x0000000005890000-0x0000000005990000-memory.dmp
            Filesize

            1024KB

            Download
          • memory/4596-157-0x0000000000000000-mapping.dmp
            Download