vkeylogger | 734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd

General

Target

734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe
Size

245KB
MD5

b0e4ad8a749f5a154420e5f6d3eadbe0
SHA1

d9597f8e4d1b35acf9fed9622548946b83947bda
SHA256

734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd
SHA512

dde672033bf3d426a6cedcb774bdca7815f3afab8fcdf8dc93016d3362c85a2e0134505747b96bab2e729533e91add660165aa3de106a5e701f2dbda2b0c8071

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

1008.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Explorer.exe\","	1008.exe

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3156-115-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral1/memory/3156-121-0x0000000000403500-mapping.dmp	family_vkeylogger
behavioral1/memory/1988-123-0x0000000000C30000-0x0000000000C3F000-memory.dmp	family_vkeylogger

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

1008.exeRegAsm.exe

pid process

2864 1008.exe
1208 RegAsm.exe

pid	process
2864	1008.exe
1208	RegAsm.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\ChromeDriver = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\Software\Microsoft\Windows\CurrentVersion\Run\Firefox_update = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 3 IoCs

Processes:

734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exeRegSvcs.exe1008.exe

description	pid	process	target process
PID 2636 set thread context of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 3156 set thread context of 1988	3156	RegSvcs.exe	explorer.exe
PID 2864 set thread context of 1208	2864	1008.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exe1008.exeRegAsm.exe

pid	process
1100	powershell.exe
1100	powershell.exe
2864	1008.exe
2864	1008.exe
1100	powershell.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe
1208	RegAsm.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

RegSvcs.exeexplorer.exe

pid process

3156 RegSvcs.exe
1988 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1008.exepowershell.exeRegAsm.exe

description pid process

Token: SeDebugPrivilege 2864 1008.exe
Token: SeDebugPrivilege 1100 powershell.exe
Token: SeDebugPrivilege 1208 RegAsm.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

1988 explorer.exe

pid	process
3156	RegSvcs.exe
1988	explorer.exe

description	pid	process
Token: SeDebugPrivilege	2864	1008.exe
Token: SeDebugPrivilege	1100	powershell.exe
Token: SeDebugPrivilege	1208	RegAsm.exe

pid	process
1988	explorer.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exeRegSvcs.exeexplorer.exe1008.exe

description	pid	process	target process
PID 2636 wrote to memory of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 2636 wrote to memory of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 2636 wrote to memory of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 2636 wrote to memory of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 2636 wrote to memory of 3156	2636	734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe	RegSvcs.exe
PID 3156 wrote to memory of 1988	3156	RegSvcs.exe	explorer.exe
PID 3156 wrote to memory of 1988	3156	RegSvcs.exe	explorer.exe
PID 3156 wrote to memory of 1988	3156	RegSvcs.exe	explorer.exe
PID 1988 wrote to memory of 2864	1988	explorer.exe	1008.exe
PID 1988 wrote to memory of 2864	1988	explorer.exe	1008.exe
PID 2864 wrote to memory of 1100	2864	1008.exe	powershell.exe
PID 2864 wrote to memory of 1100	2864	1008.exe	powershell.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe
PID 2864 wrote to memory of 1208	2864	1008.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe
"C:\Users\Admin\AppData\Local\Temp\734045009f0b155db1692141832332bb4fdc4511399a67a5e22835a2b72fc7bd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3156

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\1008.exe
"C:\Users\Admin\AppData\Local\Temp\1008.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\1008.exe" -Force
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1008.exe
MD5
d38aa9953b31b7b01d996a430c08c01e

SHA1
bf874088d840f003e4ab41051a9aa029c01468b2

SHA256
d5b7fb21126e1a424b04bb5ef0e4f3c842a0695df4967e69068de34c1b81878c

SHA512
3519d917dc871ba04d820fc7de4f6621afe756dfc76c47676d53c6948a25d9ef8fb6d6a955ffd6742100f3d9633fd80303918009e7c315d15e9c0b59e57b067f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1008.exe
MD5
d38aa9953b31b7b01d996a430c08c01e

SHA1
bf874088d840f003e4ab41051a9aa029c01468b2

SHA256
d5b7fb21126e1a424b04bb5ef0e4f3c842a0695df4967e69068de34c1b81878c

SHA512
3519d917dc871ba04d820fc7de4f6621afe756dfc76c47676d53c6948a25d9ef8fb6d6a955ffd6742100f3d9633fd80303918009e7c315d15e9c0b59e57b067f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
a2284af079c78111b9b72e231b88508f

SHA1
aaa8804fd8577c468c912dd81047582d1ab6e3e0

SHA256
825de4ab6e824963a85f79ed1cd576a93a76d3ac78f2ac975895fe981b7d479a

SHA512
69f791e2f56bf3cb66f31848bb5ede20cab704b9822dca081d818a41d3cdd4a89d3f397c86b5bc2cb2219493b9e2a6e12f62321d66afd42d87ded4079c0ca8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
MD5
a2284af079c78111b9b72e231b88508f

SHA1
aaa8804fd8577c468c912dd81047582d1ab6e3e0

SHA256
825de4ab6e824963a85f79ed1cd576a93a76d3ac78f2ac975895fe981b7d479a

SHA512
69f791e2f56bf3cb66f31848bb5ede20cab704b9822dca081d818a41d3cdd4a89d3f397c86b5bc2cb2219493b9e2a6e12f62321d66afd42d87ded4079c0ca8ca

Download Submit
memory/1100-142-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-138-0x000001C0EC350000-0x000001C0EC351000-memory.dmp

Filesize
4KB

Download
memory/1100-144-0x000001C0EC410000-0x000001C0EC412000-memory.dmp

Filesize
8KB

Download
memory/1100-150-0x000001C0EE4F0000-0x000001C0EE4F1000-memory.dmp

Filesize
4KB

Download
memory/1100-171-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-172-0x000001C0EC416000-0x000001C0EC418000-memory.dmp

Filesize
8KB

Download
memory/1100-131-0x0000000000000000-mapping.dmp

Download
memory/1100-132-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-133-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-146-0x000001C0EC413000-0x000001C0EC415000-memory.dmp

Filesize
8KB

Download
memory/1100-135-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-136-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-137-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-154-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-139-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1100-140-0x000001C0D3CF0000-0x000001C0D3CF2000-memory.dmp

Filesize
8KB

Download
memory/1208-173-0x00000294D8652000-0x00000294D8654000-memory.dmp

Filesize
8KB

Download
memory/1208-164-0x00000294D85D0000-0x00000294D8616000-memory.dmp

Filesize
280KB

Download
memory/1208-143-0x0000000140000000-mapping.dmp

Download
memory/1208-163-0x00000294D8580000-0x00000294D85CF000-memory.dmp

Filesize
316KB

Download
memory/1208-162-0x00000294BE5C0000-0x00000294BE5C5000-memory.dmp

Filesize
20KB

Download
memory/1208-161-0x00000294BFC00000-0x00000294BFC4E000-memory.dmp

Filesize
312KB

Download
memory/1208-153-0x00000294D84F0000-0x00000294D8574000-memory.dmp

Filesize
528KB

Download
memory/1208-141-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/1208-160-0x00000294D8650000-0x00000294D8652000-memory.dmp

Filesize
8KB

Download
memory/1988-123-0x0000000000C30000-0x0000000000C3F000-memory.dmp

Filesize
60KB

Download
memory/1988-122-0x0000000000C32E90-mapping.dmp

Download
memory/2864-134-0x000000001E030000-0x000000001E0A9000-memory.dmp

Filesize
484KB

Download
memory/2864-148-0x000000001C552000-0x000000001C554000-memory.dmp

Filesize
8KB

Download
memory/2864-149-0x000000001C554000-0x000000001C555000-memory.dmp

Filesize
4KB

Download
memory/2864-124-0x0000000000000000-mapping.dmp

Download
memory/2864-127-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2864-130-0x000000001DF60000-0x000000001E028000-memory.dmp

Filesize
800KB

Download
memory/2864-129-0x000000001C550000-0x000000001C552000-memory.dmp

Filesize
8KB

Download
memory/3156-115-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3156-121-0x0000000000403500-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads