Analysis
-
max time kernel
158s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 05:37
General
-
Target
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe
-
Size
3.6MB
-
MD5
2f34dfbb3d231ffefcf9d15ba70a14e0
-
SHA1
01350475336c95a26b7c0b5d4710b2acd2e57b74
-
SHA256
a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f
-
SHA512
6534c922964da91b44c320f1af41f63617adbdc9f450d36a844b63c623dc067061ec88132f071296a9bc5c56ef24ec3d495d92d7be2190ad286576e70242a39e
Malware Config
Extracted
vidar
10.8
231
http://idgent.top/
-
profile_id
231
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe"C:\Users\Admin\AppData\Local\Temp\a06033fed83a8bfc744a5102fc88003720cb55d5c488ec3eae51f28883814e9f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 15923⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4248 -ip 42481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
742KB
MD500ae12f718d3d9a50c72ce2f9eeee139
SHA16d6f69ec337173550b15539182ea39fa1dcf01e2
SHA256506e2570b86297e10c9eca74dbe5d5d7f9ae50131313e947b3960a6eb7a24dde
SHA512aadef8053440724409c3b063ce1a440ac1c961af8beef7332cbbf9d651a3ce3ddce8ac8d1d8fa843e29e6c4fd80c3cf1b08ac2fa84cd4f7fc95beccf726a5ddd
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
742KB
MD500ae12f718d3d9a50c72ce2f9eeee139
SHA16d6f69ec337173550b15539182ea39fa1dcf01e2
SHA256506e2570b86297e10c9eca74dbe5d5d7f9ae50131313e947b3960a6eb7a24dde
SHA512aadef8053440724409c3b063ce1a440ac1c961af8beef7332cbbf9d651a3ce3ddce8ac8d1d8fa843e29e6c4fd80c3cf1b08ac2fa84cd4f7fc95beccf726a5ddd
-
memory/4248-146-0x0000000005C90000-0x0000000005C98000-memory.dmpFilesize
32KB
-
memory/4248-145-0x0000000005580000-0x0000000005588000-memory.dmpFilesize
32KB
-
memory/4248-136-0x0000000000710000-0x0000000000A18000-memory.dmpFilesize
3.0MB
-
memory/4248-149-0x0000000005CD0000-0x0000000005CD8000-memory.dmpFilesize
32KB
-
memory/4248-148-0x0000000005CC0000-0x0000000005CC8000-memory.dmpFilesize
32KB
-
memory/4248-147-0x0000000005CB0000-0x0000000005CB8000-memory.dmpFilesize
32KB
-
memory/4248-133-0x0000000000000000-mapping.dmp
-
memory/4248-142-0x0000000005540000-0x000000000554A000-memory.dmpFilesize
40KB
-
memory/4248-143-0x0000000005550000-0x0000000005558000-memory.dmpFilesize
32KB
-
memory/4248-144-0x0000000005570000-0x0000000005578000-memory.dmpFilesize
32KB
-
memory/5108-141-0x0000000002920000-0x0000000002A20000-memory.dmpFilesize
1024KB
-
memory/5108-130-0x0000000000000000-mapping.dmp
-
memory/5108-140-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB
-
memory/5108-139-0x0000000002920000-0x0000000002A20000-memory.dmpFilesize
1024KB
-
memory/5108-137-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB
-
memory/5108-150-0x0000000000400000-0x0000000000CC2000-memory.dmpFilesize
8.8MB