Analysis
-
max time kernel
78s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-07-2022 06:28
Static task
static1
Behavioral task
behavioral1
Sample
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe
Resource
win7-20220414-en
General
-
Target
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe
-
Size
3.6MB
-
MD5
6937f5f3b8539c13bada23dc2a48c588
-
SHA1
d074581d877f81abc2061fdb648049fe422a5458
-
SHA256
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba
-
SHA512
7c1873a603efe3e46a618ff01c8d1a5182655bfcb2399f0bf97ac2f07890a790695a9fe3356479058e835c178629e9abc74b5c58c3be480a853af64af4374531
Malware Config
Extracted
vidar
10.7
231
http://mooreny.top/
-
profile_id
231
Signatures
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
Vidar Stealer 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1880-66-0x0000000000400000-0x0000000005310000-memory.dmp family_vidar behavioral1/memory/1880-70-0x0000000000400000-0x0000000005310000-memory.dmp family_vidar -
Executes dropped EXE 2 IoCs
Processes:
busshost.exeYTLoader.exepid process 1880 busshost.exe 628 YTLoader.exe -
Loads dropped DLL 8 IoCs
Processes:
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exeWerFault.exepid process 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe 1252 WerFault.exe -
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Drops file in Program Files directory 4 IoCs
Processes:
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exedescription ioc process File created C:\Program Files (x86)\LetsSee!\Uninstall.ini 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe File opened for modification C:\Program Files (x86)\LetsSee!\YTLoader.exe 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe File opened for modification C:\Program Files (x86)\LetsSee!\busshost.exe 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe File opened for modification C:\Program Files (x86)\LetsSee!\Uninstall.exe 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1252 628 WerFault.exe YTLoader.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
busshost.exeYTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 busshost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString busshost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString YTLoader.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
YTLoader.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer YTLoader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName YTLoader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
busshost.exepid process 1880 busshost.exe 1880 busshost.exe 1880 busshost.exe 1880 busshost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
YTLoader.exedescription pid process Token: SeDebugPrivilege 628 YTLoader.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exeYTLoader.exedescription pid process target process PID 1768 wrote to memory of 1880 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe busshost.exe PID 1768 wrote to memory of 1880 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe busshost.exe PID 1768 wrote to memory of 1880 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe busshost.exe PID 1768 wrote to memory of 1880 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe busshost.exe PID 1768 wrote to memory of 628 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe YTLoader.exe PID 1768 wrote to memory of 628 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe YTLoader.exe PID 1768 wrote to memory of 628 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe YTLoader.exe PID 1768 wrote to memory of 628 1768 4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe YTLoader.exe PID 628 wrote to memory of 1252 628 YTLoader.exe WerFault.exe PID 628 wrote to memory of 1252 628 YTLoader.exe WerFault.exe PID 628 wrote to memory of 1252 628 YTLoader.exe WerFault.exe PID 628 wrote to memory of 1252 628 YTLoader.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe"C:\Users\Admin\AppData\Local\Temp\4135938f1fdf73960b444fb49177b35a46fe71893456ea9572de215b40ee41ba.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\LetsSee!\busshost.exe"C:\Program Files (x86)\LetsSee!\busshost.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\LetsSee!\YTLoader.exe"C:\Program Files (x86)\LetsSee!\YTLoader.exe"2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 10603⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
C:\Program Files (x86)\LetsSee!\busshost.exeFilesize
697KB
MD5288bfe0c07b28bcbbc0674a2f439c1e8
SHA1b76e30c73cc16061d639aaaf478744e84f2ea307
SHA256cfd9e6c78b68cc240d305a36fd67e9e81ed7acb1f3ea0b110c01f9fad9204569
SHA51261d6cea300d0c082907779def07763a98fbdd24374b2d8a9045dc2bfb8f67daee2e769c4efcb695357d8e1d439a75eaacfdce51fb8637fe9f5e8053ddad2827c
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\YTLoader.exeFilesize
3.0MB
MD5adc9db2753fa3daa6a8156254ba2a5f1
SHA150ff27e2e1c4acc35768b93b73c03f7630027f04
SHA256f8cc40321301d39f03eaa48d42cbbb2e953b694dc13ccf9d986032c621223fde
SHA5125f7fca8da622035f3a83e562d727ccdd842d623ec376f93c75c3218bddd970c34a9efc66a33cfd6e52a398fa2ed090b890d05aecef53f65a22917d50d31a1195
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
697KB
MD5288bfe0c07b28bcbbc0674a2f439c1e8
SHA1b76e30c73cc16061d639aaaf478744e84f2ea307
SHA256cfd9e6c78b68cc240d305a36fd67e9e81ed7acb1f3ea0b110c01f9fad9204569
SHA51261d6cea300d0c082907779def07763a98fbdd24374b2d8a9045dc2bfb8f67daee2e769c4efcb695357d8e1d439a75eaacfdce51fb8637fe9f5e8053ddad2827c
-
\Program Files (x86)\LetsSee!\busshost.exeFilesize
697KB
MD5288bfe0c07b28bcbbc0674a2f439c1e8
SHA1b76e30c73cc16061d639aaaf478744e84f2ea307
SHA256cfd9e6c78b68cc240d305a36fd67e9e81ed7acb1f3ea0b110c01f9fad9204569
SHA51261d6cea300d0c082907779def07763a98fbdd24374b2d8a9045dc2bfb8f67daee2e769c4efcb695357d8e1d439a75eaacfdce51fb8637fe9f5e8053ddad2827c
-
memory/628-73-0x0000000000640000-0x0000000000650000-memory.dmpFilesize
64KB
-
memory/628-79-0x0000000000AE0000-0x0000000000AE8000-memory.dmpFilesize
32KB
-
memory/628-69-0x00000000004A0000-0x00000000004AA000-memory.dmpFilesize
40KB
-
memory/628-60-0x0000000000000000-mapping.dmp
-
memory/628-72-0x0000000005200000-0x000000000565A000-memory.dmpFilesize
4.4MB
-
memory/628-67-0x0000000000E60000-0x0000000001168000-memory.dmpFilesize
3.0MB
-
memory/628-74-0x0000000000690000-0x000000000069A000-memory.dmpFilesize
40KB
-
memory/628-75-0x00000000009D0000-0x00000000009DA000-memory.dmpFilesize
40KB
-
memory/628-76-0x00000000009F0000-0x00000000009FA000-memory.dmpFilesize
40KB
-
memory/628-77-0x0000000000A40000-0x0000000000A48000-memory.dmpFilesize
32KB
-
memory/628-78-0x0000000000A90000-0x0000000000A9E000-memory.dmpFilesize
56KB
-
memory/628-84-0x0000000004570000-0x0000000004578000-memory.dmpFilesize
32KB
-
memory/628-80-0x0000000000AF0000-0x0000000000AF8000-memory.dmpFilesize
32KB
-
memory/628-81-0x0000000000B00000-0x0000000000B08000-memory.dmpFilesize
32KB
-
memory/628-82-0x0000000000C50000-0x0000000000C58000-memory.dmpFilesize
32KB
-
memory/628-83-0x0000000000E50000-0x0000000000E58000-memory.dmpFilesize
32KB
-
memory/1252-85-0x0000000000000000-mapping.dmp
-
memory/1768-54-0x0000000075C01000-0x0000000075C03000-memory.dmpFilesize
8KB
-
memory/1880-68-0x0000000005570000-0x0000000005670000-memory.dmpFilesize
1024KB
-
memory/1880-66-0x0000000000400000-0x0000000005310000-memory.dmpFilesize
79.1MB
-
memory/1880-65-0x0000000005570000-0x0000000005670000-memory.dmpFilesize
1024KB
-
memory/1880-70-0x0000000000400000-0x0000000005310000-memory.dmpFilesize
79.1MB
-
memory/1880-57-0x0000000000000000-mapping.dmp