Overview

overview

10

Static

static

9e559c854f...d0.exe

windows7_x64

10

9e559c854f...d0.exe

windows10_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-09-2021 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e559c854f7b4c66ffbe7702e8f49cd0.exe

  • Size

    154KB

  • MD5

    9e559c854f7b4c66ffbe7702e8f49cd0

  • SHA1

    cd28198ef48a50b3d14dc8eb5d37f505b2c85c33

  • SHA256

    7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d

  • SHA512

    c2c751b71a3b7a2bcade9d59b7071ee4af5f239be4fd2075fb2a4d6bfa23ca1edde4083f0a0aafb578bc1161e5ec5b34587f2596b20309d9541c35df67585e89

Score
10/10
vkeyloggerkeyloggerpersistencestealer

Malware Config

Signatures

  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e559c854f7b4c66ffbe7702e8f49cd0.exe
    "C:\Users\Admin\AppData\Local\Temp\9e559c854f7b4c66ffbe7702e8f49cd0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Users\Admin\AppData\Local\Temp\133.exe
        "C:\Users\Admin\AppData\Local\Temp\133.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /tn \6E0302BCB0101291311131 /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\6E0302BCB0101291311131\6E0302BCB0101291311131.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:976
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn \6E0302BCB0101291311131 /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\6E0302BCB0101291311131\6E0302BCB0101291311131.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
            5⤵
            • Creates scheduled task(s)
            PID:1432
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2D328B8F-FB7D-404D-AFC3-2248255F6BA2} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\6E0302BCB0101291311131\6E0302BCB0101291311131.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\Windows\6E0302BCB0101291311131\6E0302BCB0101291311131.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      PID:1864

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1608-61-0x0000000000400000-0x0000000002144000-memory.dmp

    Filesize

    29.3MB

    Download

  • memory/1608-62-0x0000000075801000-0x0000000075803000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1608-60-0x0000000000020000-0x000000000002E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1788-77-0x0000000000980000-0x0000000000982000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1788-78-0x0000000000B50000-0x0000000000B63000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1848-66-0x0000000000080000-0x000000000008F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1848-65-0x0000000074581000-0x0000000074583000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1864-82-0x00000000008C0000-0x00000000008C2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1864-83-0x0000000000E80000-0x0000000000E93000-memory.dmp

    Filesize

    76KB

    Download