vkeylogger | 1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c

Analysis

max time kernel
159s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
21-03-2022 09:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c40967960f1817c1458a587cdab9e3a2.exe
Size

189KB
MD5

c40967960f1817c1458a587cdab9e3a2
SHA1

0f7fd80ae64aa53afae14571c7ee47a159a33bbc
SHA256

1d4bf0958c9382e0ab0ee9dc4240fd01aa6c17b045f60a5fbe0a92663ccb875c
SHA512

8ec11c41deccaa9ba05eee5ed3b3fc017035310347b47fae9ec44534ce83cca5df74d00c520d30b4357066284982753b11ecb527a5ce163896e4c78b6d706562

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 7 IoCs

resource	yara_rule
behavioral2/memory/556-135-0x0000000000B70000-0x0000000000B9F000-memory.dmp	family_vkeylogger
behavioral2/memory/1264-137-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/1264-138-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/2340-141-0x0000000000B70000-0x0000000000B9F000-memory.dmp	family_vkeylogger
behavioral2/memory/3016-143-0x0000000000400000-0x000000000040F000-memory.dmp	family_vkeylogger
behavioral2/memory/2392-144-0x0000000000800000-0x000000000080F000-memory.dmp	family_vkeylogger
behavioral2/memory/2892-145-0x0000000001090000-0x000000000109F000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdates = "C:\\Users\\Admin\\AppData\\Local\\Temp\\c40967960f1817c1458a587cdab9e3a2.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ChromeApplication = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 556 set thread context of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 2340 set thread context of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 1264 set thread context of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	88
PID 3016 set thread context of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	89

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
556	c40967960f1817c1458a587cdab9e3a2.exe
556	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe
2340	c40967960f1817c1458a587cdab9e3a2.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1264	c40967960f1817c1458a587cdab9e3a2.exe
3016	c40967960f1817c1458a587cdab9e3a2.exe
2392	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2392	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2392	explorer.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 1264	556	c40967960f1817c1458a587cdab9e3a2.exe	83
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	86
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	86
PID 556 wrote to memory of 2340	556	c40967960f1817c1458a587cdab9e3a2.exe	86
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 2340 wrote to memory of 3016	2340	c40967960f1817c1458a587cdab9e3a2.exe	87
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	88
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	88
PID 1264 wrote to memory of 2392	1264	c40967960f1817c1458a587cdab9e3a2.exe	88
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	89
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	89
PID 3016 wrote to memory of 2892	3016	c40967960f1817c1458a587cdab9e3a2.exe	89

C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
"C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
  "C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2392
- C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
  "C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe
    "C:\Users\Admin\AppData\Local\Temp\c40967960f1817c1458a587cdab9e3a2.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:2892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-134-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/556-135-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/556-136-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/1264-137-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1264-138-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2340-139-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/2340-141-0x0000000000B70000-0x0000000000B9F000-memory.dmp

Filesize
188KB

Download
memory/2340-142-0x00000000779A0000-0x0000000077B43000-memory.dmp

Filesize
1.6MB

Download
memory/2392-144-0x0000000000800000-0x000000000080F000-memory.dmp

Filesize
60KB

Download
memory/2892-145-0x0000000001090000-0x000000000109F000-memory.dmp

Filesize
60KB

Download
memory/3016-143-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download