Overview

overview

10

Static

static

f876084f0a...10.exe

windows7_x64

10

f876084f0a...10.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    141s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220310-en
  • submitted
    21-03-2022 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f876084f0a4c4921043f0c5d9a300a10.exe

  • Size

    295KB

  • MD5

    f876084f0a4c4921043f0c5d9a300a10

  • SHA1

    26750325c38616947a66fcf4132afd30bdccbbe6

  • SHA256

    04b8f38bffca4122470e8af1b123630809bc7a6fb4e66a3e0a99f82133c9bdf1

  • SHA512

    577f59015f58f6a7f6353b183293d834bea07aed8bf970a14888551239c3cca1eb4915ea3768efa697c82a53d33be50eb3a4d279c0ce4a77eb700f8045117587

Score
10/10
vkeyloggerkeyloggerpersistencestealersuricata

Malware Config

Signatures

  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 4 IoCs
  • suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

    suricata: ET MALWARE Generic -POST To gate.php w/Extended ASCII Characters (Likely Zeus Derivative)

    suricata
  • suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata: ET MALWARE Generic Request to gate.php Dotted-Quad

    suricata
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers

    suricata
  • suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer

    suricata
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f876084f0a4c4921043f0c5d9a300a10.exe
    "C:\Users\Admin\AppData\Local\Temp\f876084f0a4c4921043f0c5d9a300a10.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:3296
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2644 -s 472
      2⤵
      • Program crash
      PID:456
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 2644 -ip 2644
    1⤵
      PID:2268
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Drops file in Windows directory
      PID:1872
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
      1⤵
        PID:4880

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1872-144-0x00000271D4DA0000-0x00000271D4DA4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1872-139-0x00000271D1B70000-0x00000271D1B80000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-140-0x00000271D2460000-0x00000271D2470000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1872-141-0x00000271D27F0000-0x00000271D27F4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1872-142-0x00000271D4CA0000-0x00000271D4CA4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1872-143-0x00000271D4A10000-0x00000271D4A11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1872-145-0x00000271D4CF0000-0x00000271D4CF4000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1872-146-0x00000271D4E40000-0x00000271D4E44000-memory.dmp

        Filesize

        16KB

        Download

      • memory/1872-147-0x00000271D4E40000-0x00000271D4E44000-memory.dmp

        Filesize

        16KB

        Download

      • memory/2644-136-0x00000000021B0000-0x00000000021C2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2644-137-0x0000000000400000-0x0000000000474000-memory.dmp

        Filesize

        464KB

        Download

      • memory/2644-135-0x0000000000480000-0x0000000000580000-memory.dmp

        Filesize

        1024KB

        Download

      • memory/3296-138-0x0000000000ED0000-0x0000000000EE3000-memory.dmp

        Filesize

        76KB

        Download