vkeylogger | f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1

General

Target

f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe
Size

245KB
MD5

0ed76cd7cb14cc30d04802a750bcad22
SHA1

ed719729d7025b6d16399c88a7334fdd58b0d603
SHA256

f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1
SHA512

89452af762b13227bd835a50d8e5d55a0760889699fae5bb7da67fba1b4fa16207c9e395230cb2f3b135266c3dfac98f45bb8df3b8f9391d55696f8f13e64ea6

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/864-115-0x00000000005C0000-0x00000000005CF000-memory.dmp	family_vkeylogger
behavioral1/memory/864-121-0x00000000005C3500-mapping.dmp	family_vkeylogger
behavioral1/memory/1424-123-0x0000000000750000-0x000000000075F000-memory.dmp	family_vkeylogger

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

440.exeMicrosoftAsistence.exesvchost.exesvchost.exe

pid process

2368 440.exe
3168 MicrosoftAsistence.exe
3720 svchost.exe
1956 svchost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

440.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation 440.exe

pid	process
2368	440.exe
3168	MicrosoftAsistence.exe
3720	svchost.exe
1956	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	440.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gr5wd = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtrhy = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exeRegSvcs.exe

description	pid	process	target process
PID 3220 set thread context of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 864 set thread context of 1424	864	RegSvcs.exe	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3800 3168 WerFault.exe MicrosoftAsistence.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1344 schtasks.exe
Modifies registry class 1 IoCs

Processes:

440.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 440.exe

pid	pid_target	process	target process
3800	3168	WerFault.exe	MicrosoftAsistence.exe

pid	process
1344	schtasks.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance	440.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

WerFault.exe

pid	process
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe
3800	WerFault.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

RegSvcs.exeexplorer.exe

pid process

864 RegSvcs.exe
1424 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 3800 WerFault.exe
Token: SeBackupPrivilege 3800 WerFault.exe
Token: SeDebugPrivilege 3800 WerFault.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

1424 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

1424 explorer.exe

pid	process
864	RegSvcs.exe
1424	explorer.exe

description	pid	process
Token: SeRestorePrivilege	3800	WerFault.exe
Token: SeBackupPrivilege	3800	WerFault.exe
Token: SeDebugPrivilege	3800	WerFault.exe

pid	process
1424	explorer.exe

pid	process
1424	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exeRegSvcs.exeexplorer.exe440.exeMicrosoftAsistence.execmd.exe

description	pid	process	target process
PID 3220 wrote to memory of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 3220 wrote to memory of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 3220 wrote to memory of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 3220 wrote to memory of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 3220 wrote to memory of 864	3220	f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe	RegSvcs.exe
PID 864 wrote to memory of 1424	864	RegSvcs.exe	explorer.exe
PID 864 wrote to memory of 1424	864	RegSvcs.exe	explorer.exe
PID 864 wrote to memory of 1424	864	RegSvcs.exe	explorer.exe
PID 1424 wrote to memory of 2368	1424	explorer.exe	440.exe
PID 1424 wrote to memory of 2368	1424	explorer.exe	440.exe
PID 1424 wrote to memory of 2368	1424	explorer.exe	440.exe
PID 2368 wrote to memory of 3168	2368	440.exe	MicrosoftAsistence.exe
PID 2368 wrote to memory of 3168	2368	440.exe	MicrosoftAsistence.exe
PID 2368 wrote to memory of 3168	2368	440.exe	MicrosoftAsistence.exe
PID 3168 wrote to memory of 896	3168	MicrosoftAsistence.exe	cmd.exe
PID 3168 wrote to memory of 896	3168	MicrosoftAsistence.exe	cmd.exe
PID 3168 wrote to memory of 896	3168	MicrosoftAsistence.exe	cmd.exe
PID 896 wrote to memory of 1344	896	cmd.exe	schtasks.exe
PID 896 wrote to memory of 1344	896	cmd.exe	schtasks.exe
PID 896 wrote to memory of 1344	896	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe
"C:\Users\Admin\AppData\Local\Temp\f3133b021fd1eb20aa1b624a6295496e0d4cfdad4d6d25ac00ab02ee5cbea8b1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\440.exe
"C:\Users\Admin\AppData\Local\Temp\440.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2368

C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe
"C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /tn \svchost /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
6⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn \svchost /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f
7⤵
- Creates scheduled task(s)
PID:1344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3168 -s 672
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
1⤵
- Executes dropped EXE
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\440.exe
MD5
557f326debaaf3a7e8523a2efcd68032

SHA1
3bff709e3a76d9ba5e10550a417cb6dce9e760cd

SHA256
253475cc935af014ede78d7c0b899d560015c6fa820bc5cae78203afc2eebe98

SHA512
5f1f7ff5e984157b68d6feb8adff5a9846392df5e7c41af90d5bf5aed7dcb9832d3b03d91f53fcadea48c6c125d3b6663f9f133634208e58a14afe5a64f074a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\440.exe
MD5
557f326debaaf3a7e8523a2efcd68032

SHA1
3bff709e3a76d9ba5e10550a417cb6dce9e760cd

SHA256
253475cc935af014ede78d7c0b899d560015c6fa820bc5cae78203afc2eebe98

SHA512
5f1f7ff5e984157b68d6feb8adff5a9846392df5e7c41af90d5bf5aed7dcb9832d3b03d91f53fcadea48c6c125d3b6663f9f133634208e58a14afe5a64f074a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe
MD5
84ffcd2e4a61db6acba49632fd32985b

SHA1
2cb20cd9c48b9af6a6a064ca467c866d933ad56f

SHA256
5e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2

SHA512
1a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftAsistence.exe
MD5
84ffcd2e4a61db6acba49632fd32985b

SHA1
2cb20cd9c48b9af6a6a064ca467c866d933ad56f

SHA256
5e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2

SHA512
1a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
MD5
84ffcd2e4a61db6acba49632fd32985b

SHA1
2cb20cd9c48b9af6a6a064ca467c866d933ad56f

SHA256
5e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2

SHA512
1a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\svchost\svchost.exe
MD5
84ffcd2e4a61db6acba49632fd32985b

SHA1
2cb20cd9c48b9af6a6a064ca467c866d933ad56f

SHA256
5e0450a533e221adf0344db11561fbe2349220369e79a325e33e06d914cfb8d2

SHA512
1a9ec55bb3c5d3a9eddfdb6444f1266a02d5f8eed09025b39bfe48790c6492b1fd9d8be52af4814c22d1ac08a15ac93af0e280af9cb1bc12f1e3a6e3dadce875

Download Submit
memory/864-121-0x00000000005C3500-mapping.dmp

Download
memory/864-115-0x00000000005C0000-0x00000000005CF000-memory.dmp

Filesize
60KB

Download
memory/896-132-0x0000000000000000-mapping.dmp

Download
memory/1344-133-0x0000000000000000-mapping.dmp

Download
memory/1424-122-0x0000000000752E90-mapping.dmp

Download
memory/1424-123-0x0000000000750000-0x000000000075F000-memory.dmp

Filesize
60KB

Download
memory/2368-124-0x0000000000000000-mapping.dmp

Download
memory/2368-127-0x0000000000F80000-0x0000000000F95000-memory.dmp

Filesize
84KB

Download
memory/2368-128-0x0000000001080000-0x00000000010A6000-memory.dmp

Filesize
152KB

Download
memory/3168-129-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads