vkeylogger | fd2a72060baf27b380eeae7fe7e4649425d81709c27fc61072e736201aa74b75

Analysis

max time kernel
4294183s
max time network
129s
platform
windows7_x64
resource
win7-20220311-en
submitted
21-03-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d94ac536d0cae874d48866d52c57d49.exe
Size

149KB
MD5

4d94ac536d0cae874d48866d52c57d49
SHA1

198b92d7d1963f43c9cd5c967c6ee5100c4f51b0
SHA256

fd2a72060baf27b380eeae7fe7e4649425d81709c27fc61072e736201aa74b75
SHA512

14d938de86e72a7a61fe1accce4dee418f489ba1c812d8e1aaa3172198d5acc31559da7ea9bbed2673fa75bc07f9e46be041a5ee0e36383e27716fbbe99d7bc4

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2012-57-0x0000000000080000-0x00000000000A6000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\rgfriw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4d94ac536d0cae874d48866d52c57d49.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Software\Microsoft\Windows\CurrentVersion\Run\hrtry = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4d94ac536d0cae874d48866d52c57d49.exe

description pid process target process

PID 1844 set thread context of 2012 1844 4d94ac536d0cae874d48866d52c57d49.exe explorer.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4d94ac536d0cae874d48866d52c57d49.exeexplorer.exe

pid process

1844 4d94ac536d0cae874d48866d52c57d49.exe
2012 explorer.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

explorer.exe

pid process

2012 explorer.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

2012 explorer.exe

description	pid	process	target process
PID 1844 set thread context of 2012	1844	4d94ac536d0cae874d48866d52c57d49.exe	explorer.exe

pid	process
1844	4d94ac536d0cae874d48866d52c57d49.exe
2012	explorer.exe

pid	process
2012	explorer.exe

pid	process
2012	explorer.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4d94ac536d0cae874d48866d52c57d49.exe

description	pid	process	target process
PID 1844 wrote to memory of 2012	1844	4d94ac536d0cae874d48866d52c57d49.exe	explorer.exe
PID 1844 wrote to memory of 2012	1844	4d94ac536d0cae874d48866d52c57d49.exe	explorer.exe
PID 1844 wrote to memory of 2012	1844	4d94ac536d0cae874d48866d52c57d49.exe	explorer.exe
PID 1844 wrote to memory of 2012	1844	4d94ac536d0cae874d48866d52c57d49.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\4d94ac536d0cae874d48866d52c57d49.exe
"C:\Users\Admin\AppData\Local\Temp\4d94ac536d0cae874d48866d52c57d49.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1844-54-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/2012-56-0x0000000075461000-0x0000000075463000-memory.dmp

Filesize
8KB

Download
memory/2012-57-0x0000000000080000-0x00000000000A6000-memory.dmp

Filesize
152KB

Download