Analysis
-
max time kernel
87s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-06-2022 06:01
Static task
static1
Behavioral task
behavioral1
Sample
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe
Resource
win7-20220414-en
General
-
Target
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe
-
Size
4.3MB
-
MD5
52bb850d63e79db32342238cb2277bc8
-
SHA1
233fbda8e5e7506aa57253f40f66b2b5ea99642b
-
SHA256
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f
-
SHA512
9da46e25517815b6d586f899e9374b53826799b89b988af44137c19cec5ea2b9a65b79e99cffa093471e1c5bedecc580b10f1a2824940cb79b9241a0c2f57a0c
Malware Config
Extracted
vidar
10.1
231
http://tribecaflatstore.com/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/4344-154-0x0000000000400000-0x000000000530D000-memory.dmp family_vidar behavioral2/memory/4344-164-0x0000000000400000-0x000000000530D000-memory.dmp family_vidar -
Executes dropped EXE 4 IoCs
Processes:
busshost.exeYTLoader.execonf.exeattachmentphoto.exepid process 4344 busshost.exe 1300 YTLoader.exe 2508 conf.exe 3924 attachmentphoto.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.execonf.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation conf.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 ip-api.com -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/2508-156-0x0000000000400000-0x000000000535D000-memory.dmp autoit_exe behavioral2/memory/3924-166-0x0000000000400000-0x000000000535D000-memory.dmp autoit_exe behavioral2/memory/3924-167-0x0000000000400000-0x000000000535D000-memory.dmp autoit_exe -
Drops file in Program Files directory 5 IoCs
Processes:
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe File opened for modification C:\Program Files (x86)\LetsSee!\conf.exe 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1964 2508 WerFault.exe conf.exe 1268 1300 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exebusshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
busshost.exepid process 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe 4344 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 1300 YTLoader.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.execonf.execmd.exedescription pid process target process PID 1344 wrote to memory of 4344 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe busshost.exe PID 1344 wrote to memory of 4344 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe busshost.exe PID 1344 wrote to memory of 4344 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe busshost.exe PID 1344 wrote to memory of 1300 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe YTLoader.exe PID 1344 wrote to memory of 1300 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe YTLoader.exe PID 1344 wrote to memory of 1300 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe YTLoader.exe PID 1344 wrote to memory of 2508 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe conf.exe PID 1344 wrote to memory of 2508 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe conf.exe PID 1344 wrote to memory of 2508 1344 2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe conf.exe PID 2508 wrote to memory of 3924 2508 conf.exe attachmentphoto.exe PID 2508 wrote to memory of 3924 2508 conf.exe attachmentphoto.exe PID 2508 wrote to memory of 3924 2508 conf.exe attachmentphoto.exe PID 2508 wrote to memory of 4008 2508 conf.exe cmd.exe PID 2508 wrote to memory of 4008 2508 conf.exe cmd.exe PID 2508 wrote to memory of 4008 2508 conf.exe cmd.exe PID 4008 wrote to memory of 4596 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4596 4008 cmd.exe PING.EXE PID 4008 wrote to memory of 4596 4008 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe"C:\Users\Admin\AppData\Local\Temp\2716e1c86f3a9c1a4f84eadba40a8b6e80c7ee1fd1a39729c7351b7f85232b7f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1300 -s 15883⤵
- Program crash
-
C:\Program Files (x86)\LetsSee!\conf.exe"C:\Program Files (x86)\LetsSee!\conf.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exeC:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c SchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe4⤵
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /create /SC HOURLY /TN FlashServis /TR C:\ProgramData\FlashSys\CurlMSI.exe5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c SchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe4⤵
-
C:\Windows\SysWOW64\schtasks.exeSchTasks /create /SC MINUTE /TN 7ZipUnis /TR C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\volumfix.exe5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping -n 2 localhost < nul & del /F /Q "C:\Program Files (x86)\LetsSee!\conf.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 2 localhost4⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 10043⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2508 -ip 25081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1300 -ip 13001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
691KB
MD52701035edc9e95fd6cb11c577d3539aa
SHA15425c5fa5b27eb1b13f6cd70fa2c65c10cdea797
SHA2567620d8b06fecc8874b8dbe32ffc36631b07a93a8ada85d67efef08c371e8f763
SHA512dd31653cc8b965f1da80163ca3b4a41b9777220f4f4f9b08d015e6d7f1e9947fb64816c4f5f448b9db268bf814b7da54dba6140c5cac7a1d418f0ff28b9619cf
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
691KB
MD52701035edc9e95fd6cb11c577d3539aa
SHA15425c5fa5b27eb1b13f6cd70fa2c65c10cdea797
SHA2567620d8b06fecc8874b8dbe32ffc36631b07a93a8ada85d67efef08c371e8f763
SHA512dd31653cc8b965f1da80163ca3b4a41b9777220f4f4f9b08d015e6d7f1e9947fb64816c4f5f448b9db268bf814b7da54dba6140c5cac7a1d418f0ff28b9619cf
-
C:\Program Files (x86)\LetsSee!\conf.exeFilesize
1013KB
MD5cb8bb9ea2ac2203f4161bc5e866ea915
SHA16a03b7d688e120f69df13a63e69a0bf032324adb
SHA256a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027
SHA512b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268
-
C:\Program Files (x86)\LetsSee!\conf.exeFilesize
1013KB
MD5cb8bb9ea2ac2203f4161bc5e866ea915
SHA16a03b7d688e120f69df13a63e69a0bf032324adb
SHA256a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027
SHA512b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exeFilesize
1013KB
MD5cb8bb9ea2ac2203f4161bc5e866ea915
SHA16a03b7d688e120f69df13a63e69a0bf032324adb
SHA256a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027
SHA512b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268
-
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\7ZipArchiver\attachmentphoto.exeFilesize
1013KB
MD5cb8bb9ea2ac2203f4161bc5e866ea915
SHA16a03b7d688e120f69df13a63e69a0bf032324adb
SHA256a490427e251c8aeea6219a2ffa8e3266a3d0e39d0df18e13b5b1502a26ca6027
SHA512b13c9162872096895d6dc775311abcb9eca1494e29bd1da34bbdfc490947b60a3c1b54a129999764314ad5448af57e707cbcf6df4857a0199d5a6de5255b0268
-
memory/380-162-0x0000000000000000-mapping.dmp
-
memory/1300-149-0x0000000005150000-0x0000000005158000-memory.dmpFilesize
32KB
-
memory/1300-151-0x0000000005170000-0x0000000005178000-memory.dmpFilesize
32KB
-
memory/1300-133-0x0000000000000000-mapping.dmp
-
memory/1300-140-0x00000000052E0000-0x00000000052E8000-memory.dmpFilesize
32KB
-
memory/1300-138-0x00000000004A0000-0x00000000007A8000-memory.dmpFilesize
3.0MB
-
memory/1300-145-0x0000000005110000-0x0000000005118000-memory.dmpFilesize
32KB
-
memory/1300-146-0x0000000005120000-0x0000000005128000-memory.dmpFilesize
32KB
-
memory/1300-139-0x00000000052D0000-0x00000000052DA000-memory.dmpFilesize
40KB
-
memory/1300-148-0x0000000005130000-0x0000000005138000-memory.dmpFilesize
32KB
-
memory/1300-150-0x0000000005160000-0x0000000005168000-memory.dmpFilesize
32KB
-
memory/2508-143-0x0000000005950000-0x00000000059E5000-memory.dmpFilesize
596KB
-
memory/2508-156-0x0000000000400000-0x000000000535D000-memory.dmpFilesize
79.4MB
-
memory/2508-158-0x0000000005950000-0x00000000059E5000-memory.dmpFilesize
596KB
-
memory/2508-135-0x0000000000000000-mapping.dmp
-
memory/3672-161-0x0000000000000000-mapping.dmp
-
memory/3824-160-0x0000000000000000-mapping.dmp
-
memory/3924-152-0x0000000000000000-mapping.dmp
-
memory/3924-167-0x0000000000400000-0x000000000535D000-memory.dmpFilesize
79.4MB
-
memory/3924-166-0x0000000000400000-0x000000000535D000-memory.dmpFilesize
79.4MB
-
memory/3924-165-0x00000000059EB000-0x0000000005A80000-memory.dmpFilesize
596KB
-
memory/4004-163-0x0000000000000000-mapping.dmp
-
memory/4008-155-0x0000000000000000-mapping.dmp
-
memory/4344-154-0x0000000000400000-0x000000000530D000-memory.dmpFilesize
79.1MB
-
memory/4344-142-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/4344-164-0x0000000000400000-0x000000000530D000-memory.dmpFilesize
79.1MB
-
memory/4344-130-0x0000000000000000-mapping.dmp
-
memory/4344-144-0x0000000005890000-0x0000000005990000-memory.dmpFilesize
1024KB
-
memory/4596-157-0x0000000000000000-mapping.dmp