vkeylogger | b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb

Analysis

max time kernel
148s
max time network
151s
platform
windows10_x64
resource
win10-en-20210920
submitted
05-10-2021 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

svchost.exe_.exe
Size

2.8MB
MD5

9f3b563a15c52fc14740c08c02072953
SHA1

0e0fcb44567c9ef2ce82a1e00e734e1cad402372
SHA256

b9318666f15be8c73f3014e7abaa6337e5ca53fe5263e2f5b64cd2ad435d21eb
SHA512

2224565155f127cb7353e1be06dbb47db74ed0c4bde989f2746470c9385558439299acfaa1375ee19adbec2ae0686c79ff7b30c580823bae3c2057fb7580038d

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4564-136-0x0000000000EC0000-0x0000000000ECF000-memory.dmp	family_vkeylogger
behavioral2/memory/4444-139-0x0000000000AE0000-0x0000000000AEF000-memory.dmp	family_vkeylogger

Executes dropped EXE 3 IoCs

Processes:

dllhost.comdllhost.comdllhost.com

pid process

4448 dllhost.com
4508 dllhost.com
4564 dllhost.com
Deletes itself 1 IoCs

Processes:

dllhost.com

pid process

4508 dllhost.com

pid	process
4448	dllhost.com
4508	dllhost.com
4564	dllhost.com

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

svchost.exe_.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	svchost.exe_.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsStartmemt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\dllhost.com"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Santa = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

dllhost.comdllhost.com

description	pid	process	target process
PID 4508 set thread context of 4564	4508	dllhost.com	dllhost.com
PID 4564 set thread context of 4444	4564	dllhost.com	explorer.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4004 tasklist.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4332 PING.EXE
692 PING.EXE

pid	process
4004	tasklist.exe

pid	process
4332	PING.EXE
692	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

dllhost.com

pid	process
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com
4508	dllhost.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

dllhost.comexplorer.exe

pid process

4564 dllhost.com
4444 explorer.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

tasklist.exe

description pid process

Token: SeDebugPrivilege 4004 tasklist.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

4444 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

4444 explorer.exe

pid	process
4564	dllhost.com
4444	explorer.exe

description	pid	process
Token: SeDebugPrivilege	4004	tasklist.exe

pid	process
4444	explorer.exe

pid	process
4444	explorer.exe

Suspicious use of WriteProcessMemory 41 IoCs

Processes:

svchost.exe_.execmd.execmd.exedllhost.comdllhost.comdllhost.com

description	pid	process	target process
PID 3572 wrote to memory of 3684	3572	svchost.exe_.exe	cmd.exe
PID 3572 wrote to memory of 3684	3572	svchost.exe_.exe	cmd.exe
PID 3572 wrote to memory of 3684	3572	svchost.exe_.exe	cmd.exe
PID 3572 wrote to memory of 1952	3572	svchost.exe_.exe	cmd.exe
PID 3572 wrote to memory of 1952	3572	svchost.exe_.exe	cmd.exe
PID 3572 wrote to memory of 1952	3572	svchost.exe_.exe	cmd.exe
PID 1952 wrote to memory of 2352	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 2352	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 2352	1952	cmd.exe	certutil.exe
PID 1952 wrote to memory of 4040	1952	cmd.exe	cmd.exe
PID 1952 wrote to memory of 4040	1952	cmd.exe	cmd.exe
PID 1952 wrote to memory of 4040	1952	cmd.exe	cmd.exe
PID 4040 wrote to memory of 4004	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 4004	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 4004	4040	cmd.exe	tasklist.exe
PID 4040 wrote to memory of 4012	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 4012	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 4012	4040	cmd.exe	find.exe
PID 4040 wrote to memory of 4332	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 4332	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 4332	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 4312	4040	cmd.exe	certutil.exe
PID 4040 wrote to memory of 4312	4040	cmd.exe	certutil.exe
PID 4040 wrote to memory of 4312	4040	cmd.exe	certutil.exe
PID 4040 wrote to memory of 4448	4040	cmd.exe	dllhost.com
PID 4040 wrote to memory of 4448	4040	cmd.exe	dllhost.com
PID 4040 wrote to memory of 4448	4040	cmd.exe	dllhost.com
PID 4040 wrote to memory of 692	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 692	4040	cmd.exe	PING.EXE
PID 4040 wrote to memory of 692	4040	cmd.exe	PING.EXE
PID 4448 wrote to memory of 4508	4448	dllhost.com	dllhost.com
PID 4448 wrote to memory of 4508	4448	dllhost.com	dllhost.com
PID 4448 wrote to memory of 4508	4448	dllhost.com	dllhost.com
PID 4508 wrote to memory of 4564	4508	dllhost.com	dllhost.com
PID 4508 wrote to memory of 4564	4508	dllhost.com	dllhost.com
PID 4508 wrote to memory of 4564	4508	dllhost.com	dllhost.com
PID 4508 wrote to memory of 4564	4508	dllhost.com	dllhost.com
PID 4508 wrote to memory of 4564	4508	dllhost.com	dllhost.com
PID 4564 wrote to memory of 4444	4564	dllhost.com	explorer.exe
PID 4564 wrote to memory of 4444	4564	dllhost.com	explorer.exe
PID 4564 wrote to memory of 4444	4564	dllhost.com	explorer.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe_.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\cmd.exe
cmd /c QxfDpS
2⤵
PID:3684

C:\Windows\SysWOW64\cmd.exe
cmd /c certutil -decode 85-32 50-91 & cmd < 50-91
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\certutil.exe
certutil -decode 85-32 50-91
3⤵
PID:2352

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "IMAGENAME eq srvpost.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\SysWOW64\find.exe
find /I /N "srvpost.exe"
4⤵
PID:4012

C:\Windows\SysWOW64\PING.EXE
ping -n 1 zpbTWPYwB.zpbTWPYwB
4⤵
- Runs ping.exe
PID:4332

C:\Windows\SysWOW64\certutil.exe
certutil -decode 3-31 T
4⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
dllhost.com T
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com T
5⤵
- Executes dropped EXE
- Deletes itself
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
7⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4444

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 3
4⤵
- Runs ping.exe
PID:692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3-31
MD5
86bc1d0fbee53b193deb1f2e471ebc9f

SHA1
77cf011c0a89a8b663d9862ba29fbd41cbe97f16

SHA256
653fbda407adeb1016be457df92742510473c42dc7a586b8064b6187d7baac9c

SHA512
d2fa7f74388157bc2901418af9bfa884eda31bd48da99133f1c50817df3733ec89e02a05e3f1c16db45f8bd99cbb286fe17d698adebbb74225904377d62f3eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\50-91
MD5
2ff1c52353b2985dcac4364cdc3914ad

SHA1
92f4349bb063da88b05d56a204af88e48f8242a9

SHA256
f5e645a7166a5feb796475fdd85459dc8ef6f683868e258b848a670cd7093eab

SHA512
f03e21f251277740c1ca963831d4c97d652d6c768a8c83c45229deb477e74f04778c26af04737ae19c73bbbde2279f4e805b46c6bad128849d779daa6a59267c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\59-97
MD5
7b573c98b3fd01b8dc83da2710f9ef53

SHA1
9dc46d49571ffa5fb70c87ac2aef11b4030146e3

SHA256
dce1ce863077bd13852703df55c9185fa27bdd7defa9dce9a810ddf3c7751c64

SHA512
140dfabdbe289ee6df5319a73e94c44e96f5a4aff07cb173a45bfe3466c1f26503c3aa5f23e8999a123673c893563177d1e8247d69b4b2fad3c672052cabb17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-7
MD5
dc62bb2dac17453dd9356923780c0115

SHA1
dc1ba5eab540eed3d1020b81fc19aebc31a3b040

SHA256
d6330ace7072197e4c71e574bf9dcae932f9b65e452d5814a02b8ed55d9206e5

SHA512
87042702b8d4e22c8a362bc637aea944b7a45b947656ba295ff381517be58f9e04348b77ff797ae0f9bbda8bfd958879f65535d75a276dd0a20495af12a351e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\85-32
MD5
36ffffbb2dcbacac1ce1f666b6dc46be

SHA1
ca7f1d4d489dfab21fb9b926601b66a5f5b05dcc

SHA256
1dd59f2a8795aab941c2195be74ed9c91b9a2e182db92cdf95479e504d2be7d5

SHA512
2072f94e5ee8234fb4e75a5c4742a8bcf74de34de93c30dacb74fd6b44baaecad45b90c6394171cae3158db86f479bf1ce92e4de35e8c35e62441e27fbf11901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T
MD5
13bf07e459a6f2e594da96834a5bccd4

SHA1
d52c69844327c3a11fe51c2c682f428a4e526c9b

SHA256
673b801bad16732e02e91ced7867f6fc4c26b113539800c69fcd2af846710214

SHA512
edf3eaa1c4bf00a61a5f745036321d45a4440b2057129f6a452b11de761c43d9ca9505e779a91dff5cab4f86b98886f4b7c1a809512891c9039da02805eeef43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
memory/692-129-0x0000000000000000-mapping.dmp

Download
memory/1952-116-0x0000000000000000-mapping.dmp

Download
memory/2352-117-0x0000000000000000-mapping.dmp

Download
memory/3684-115-0x0000000000000000-mapping.dmp

Download
memory/4004-121-0x0000000000000000-mapping.dmp

Download
memory/4012-122-0x0000000000000000-mapping.dmp

Download
memory/4040-120-0x0000000000000000-mapping.dmp

Download
memory/4312-125-0x0000000000000000-mapping.dmp

Download
memory/4332-123-0x0000000000000000-mapping.dmp

Download
memory/4444-138-0x0000000000AE2E90-mapping.dmp

Download
memory/4444-139-0x0000000000AE0000-0x0000000000AEF000-memory.dmp

Filesize
60KB

Download
memory/4448-127-0x0000000000000000-mapping.dmp

Download
memory/4508-131-0x0000000000000000-mapping.dmp

Download
memory/4508-135-0x0000000000E10000-0x0000000000E33000-memory.dmp

Filesize
140KB

Download
memory/4564-136-0x0000000000EC0000-0x0000000000ECF000-memory.dmp

Filesize
60KB

Download