Analysis
-
max time kernel
158s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 05:37
Static task
static1
Behavioral task
behavioral1
Sample
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe
Resource
win7-20220414-en
General
-
Target
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe
-
Size
3.6MB
-
MD5
2f34dfbb3d231ffefcf9d15ba70a14e0
-
SHA1
01350475336c95a26b7c0b5d4710b2acd2e57b74
-
SHA256
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f
-
SHA512
6534c922964da91b44c320f1af41f63617adbdc9f450d36a844b63c623dc067061ec88132f071296a9bc5c56ef24ec3d495d92d7be2190ad286576e70242a39e
Malware Config
Extracted
vidar
10.8
231
http://idgent.top/
-
profile_id
231
Signatures
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral2/memory/5108-140-0x0000000000400000-0x0000000000CC2000-memory.dmp family_vidar behavioral2/memory/5108-150-0x0000000000400000-0x0000000000CC2000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 5108 busshost.exe 4248 YTLoader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exedescription ioc process File created C:\Program Files (x86)\LetsSee!\Uninstall.ini a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2620 4248 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
YTLoader.exebusshost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
busshost.exepid process 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe 5108 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 4248 YTLoader.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exedescription pid process target process PID 3332 wrote to memory of 5108 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe busshost.exe PID 3332 wrote to memory of 5108 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe busshost.exe PID 3332 wrote to memory of 5108 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe busshost.exe PID 3332 wrote to memory of 4248 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe YTLoader.exe PID 3332 wrote to memory of 4248 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe YTLoader.exe PID 3332 wrote to memory of 4248 3332 a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe YTLoader.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe"C:\Users\Admin\AppData\Local\Temp\a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 15923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4248 -ip 42481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
742KB
MD500ae12f718d3d9a50c72ce2f9eeee139
SHA16d6f69ec337173550b15539182ea39fa1dcf01e2
SHA256506e2570b86297e10c9eca74dbe5d5d7f9ae50131313e947b3960a6eb7a24dde
SHA512aadef8053440724409c3b063ce1a440ac1c961af8beef7332cbbf9d651a3ce3ddce8ac8d1d8fa843e29e6c4fd80c3cf1b08ac2fa84cd4f7fc95beccf726a5ddd
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
742KB
MD500ae12f718d3d9a50c72ce2f9eeee139
SHA16d6f69ec337173550b15539182ea39fa1dcf01e2
SHA256506e2570b86297e10c9eca74dbe5d5d7f9ae50131313e947b3960a6eb7a24dde
SHA512aadef8053440724409c3b063ce1a440ac1c961af8beef7332cbbf9d651a3ce3ddce8ac8d1d8fa843e29e6c4fd80c3cf1b08ac2fa84cd4f7fc95beccf726a5ddd
-
memory/4248-146-0x0000000005C90000-0x0000000005C98000-memory.dmpFilesize
32KB
-
memory/4248-145-0x0000000005580000-0x0000000005588000-memory.dmpFilesize
32KB
-
memory/4248-136-0x0000000000710000-0x0000000000A18000-memory.dmpFilesize
3.0MB
-
memory/4248-149-0x0000000005CD0000-0x0000000005CD8000-memory.dmpFilesize
32KB
-
memory/4248-148-0x0000000005CC0000-0x0000000005CC8000-memory.dmpFilesize
32KB
-
memory/4248-147-0x0000000005CB0000-0x0000000005CB8000-memory.dmpFilesize
32KB
-
memory/4248-133-0x0000000000000000-mapping.dmp
-
memory/4248-142-0x0000000005540000-0x000000000554A000-memory.dmpFilesize
40KB
-
memory/4248-143-0x0000000005550000-0x0000000005558000-memory.dmpFilesize
32KB
-
memory/4248-144-0x0000000005570000-0x0000000005578000-memory.dmpFilesize
32KB
-
memory/5108-141-0x0000000002920000-0x0000000002A20000-memory.dmpFilesize
1024KB
-
memory/5108-130-0x0000000000000000-mapping.dmp
-
memory/5108-140-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB
-
memory/5108-139-0x0000000002920000-0x0000000002A20000-memory.dmpFilesize
1024KB
-
memory/5108-137-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB
-
memory/5108-150-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB