Analysis
-
max time kernel
112s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
19-06-2022 23:43
Static task
static1
Behavioral task
behavioral1
Sample
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe
Resource
win7-20220414-en
General
-
Target
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe
-
Size
3.6MB
-
MD5
42be74255a4e9415bb0ebef9bc244821
-
SHA1
3b3707ab4d417de3bc8bb0ffe6ed409a8cf00128
-
SHA256
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc
-
SHA512
baaccc50223bf6377e12237373e9ca531b5ffee5b5c00a3bbae8801fd67ee65e16f346c2ec8fccd1dfafbaee37ccea9ea60df2f10bf9a42c3c729a4e8af77d51
Malware Config
Extracted
vidar
9.6
231
http://iloveshaus.com/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3464-140-0x0000000000400000-0x00000000004EC000-memory.dmp family_vidar behavioral2/memory/3464-150-0x0000000000400000-0x00000000004EC000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 3464 busshost.exe 4300 YTLoader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exedescription ioc process File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3944 4300 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exebusshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
busshost.exepid process 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe 3464 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 4300 YTLoader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exedescription pid process target process PID 4652 wrote to memory of 3464 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe busshost.exe PID 4652 wrote to memory of 3464 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe busshost.exe PID 4652 wrote to memory of 3464 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe busshost.exe PID 4652 wrote to memory of 4300 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe YTLoader.exe PID 4652 wrote to memory of 4300 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe YTLoader.exe PID 4652 wrote to memory of 4300 4652 33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe YTLoader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe"C:\Users\Admin\AppData\Local\Temp\33e6c8983da37dc43f47b7ee8a11c1c8c3d1b4c2fcec0bd875ffac67c03b4efc.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 16083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4300 -ip 43001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5c53d2de8becdaf58caba89a297455c65
SHA1c60da079393025e63475683375e0a045cefa3473
SHA2567d6eb1a70a0fc72adbcf03c05283b40e1ff656d655dbacf4e20fd6d635d46272
SHA512a189cba278167f104ae0b27432b5c9a6153b2d8c3d0b6db82d5b71db7d23b9f0226519cc816ba0f5c360f9b029b0bef1636ab41f4ad742808824334e30f65878
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
637KB
MD563ff325ef7a224129c7af43553fd4bb8
SHA135bb8e666ce5e08b498e8fbceed9d2bc2f427bd8
SHA256c1f5a98d8b1c93720c0242f1b0776f77725afd3faf508456f6d863cfd5fc05ec
SHA512799d3f74dbcd38ce713c194515cedd5b261e62fb0b285773a0d89a297d1a286c3a56f0ab1ddc2489bcf3fa023f6037bcacbaf41f681b0b18a248648414ee6f6b
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
637KB
MD563ff325ef7a224129c7af43553fd4bb8
SHA135bb8e666ce5e08b498e8fbceed9d2bc2f427bd8
SHA256c1f5a98d8b1c93720c0242f1b0776f77725afd3faf508456f6d863cfd5fc05ec
SHA512799d3f74dbcd38ce713c194515cedd5b261e62fb0b285773a0d89a297d1a286c3a56f0ab1ddc2489bcf3fa023f6037bcacbaf41f681b0b18a248648414ee6f6b
-
memory/3464-139-0x0000000002110000-0x0000000002210000-memory.dmpFilesize
1024KB
-
memory/3464-149-0x0000000002110000-0x0000000002210000-memory.dmpFilesize
1024KB
-
memory/3464-150-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/3464-140-0x0000000000400000-0x00000000004EC000-memory.dmpFilesize
944KB
-
memory/3464-131-0x0000000000000000-mapping.dmp
-
memory/4300-144-0x0000000006140000-0x0000000006148000-memory.dmpFilesize
32KB
-
memory/4300-141-0x0000000006000000-0x000000000600A000-memory.dmpFilesize
40KB
-
memory/4300-134-0x0000000000000000-mapping.dmp
-
memory/4300-147-0x0000000006180000-0x0000000006188000-memory.dmpFilesize
32KB
-
memory/4300-148-0x0000000006190000-0x0000000006198000-memory.dmpFilesize
32KB
-
memory/4300-146-0x0000000006170000-0x0000000006178000-memory.dmpFilesize
32KB
-
memory/4300-145-0x0000000006150000-0x0000000006158000-memory.dmpFilesize
32KB
-
memory/4300-143-0x0000000006130000-0x0000000006138000-memory.dmpFilesize
32KB
-
memory/4300-142-0x0000000006010000-0x0000000006018000-memory.dmpFilesize
32KB
-
memory/4300-137-0x0000000000BD0000-0x0000000000ED8000-memory.dmpFilesize
3.0MB