Overview

overview

10

Static

static

7ba62b0e57...fe.exe

windows7_x64

10

7ba62b0e57...fe.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    4294143s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    26-03-2022 17:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe

  • Size

    5.5MB

  • MD5

    029234355ca1ab689186c8795602854a

  • SHA1

    d568d0eefc1367d30429c3d26f82c4dd61821d02

  • SHA256

    7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe

  • SHA512

    4bf5ea4251c2090d33ef97aeb8abfb0ea84ead9dcf16b4b4151ce865204fda4bd130e849bf20a2f58cf49d09842053cd1d865bcdb945764736515e8a6e252bbc

Score
10/10
vkeyloggerkeyloggerpersistencestealer

Malware Config

Signatures

  • VKeylogger

    A keylogger first seen in Nov 2020.

    stealerkeyloggervkeylogger
  • VKeylogger Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 54 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c QxfDpS
      2⤵
        PID:1216
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c certutil -decode 85-32 50-91 & cmd < 50-91
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1068
        • C:\Windows\SysWOW64\certutil.exe
          certutil -decode 85-32 50-91
          3⤵
            PID:872
          • C:\Windows\SysWOW64\cmd.exe
            cmd
            3⤵
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:552
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq srvpost.exe"
              4⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:1400
            • C:\Windows\SysWOW64\find.exe
              find /I /N "srvpost.exe"
              4⤵
                PID:1764
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 1 zpbTWPYwB.zpbTWPYwB
                4⤵
                • Runs ping.exe
                PID:1928
              • C:\Windows\SysWOW64\certutil.exe
                certutil -decode 3-31 T
                4⤵
                  PID:1436
                • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
                  dllhost.com T
                  4⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1304
                  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
                    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com T
                    5⤵
                    • Executes dropped EXE
                    • Deletes itself
                    • Loads dropped DLL
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:764
                    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
                      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
                      6⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of WriteProcessMemory
                      PID:1484
                      • C:\Windows\SysWOW64\explorer.exe
                        "C:\Windows\SysWOW64\explorer.exe"
                        7⤵
                        • Adds Run key to start application
                        • Suspicious behavior: MapViewOfSection
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:1632
                • C:\Windows\SysWOW64\PING.EXE
                  ping 127.0.0.1 -n 3
                  4⤵
                  • Runs ping.exe
                  PID:1448

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Process Discovery

          1
          T1057

          Remote System Discovery

          1
          T1018

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3-31
            Filesize

            931KB

            MD5

            86bc1d0fbee53b193deb1f2e471ebc9f

            SHA1

            77cf011c0a89a8b663d9862ba29fbd41cbe97f16

            SHA256

            653fbda407adeb1016be457df92742510473c42dc7a586b8064b6187d7baac9c

            SHA512

            d2fa7f74388157bc2901418af9bfa884eda31bd48da99133f1c50817df3733ec89e02a05e3f1c16db45f8bd99cbb286fe17d698adebbb74225904377d62f3eee

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\50-91
            Filesize

            4KB

            MD5

            2ff1c52353b2985dcac4364cdc3914ad

            SHA1

            92f4349bb063da88b05d56a204af88e48f8242a9

            SHA256

            f5e645a7166a5feb796475fdd85459dc8ef6f683868e258b848a670cd7093eab

            SHA512

            f03e21f251277740c1ca963831d4c97d652d6c768a8c83c45229deb477e74f04778c26af04737ae19c73bbbde2279f4e805b46c6bad128849d779daa6a59267c

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\59-97
            Filesize

            909KB

            MD5

            7b573c98b3fd01b8dc83da2710f9ef53

            SHA1

            9dc46d49571ffa5fb70c87ac2aef11b4030146e3

            SHA256

            dce1ce863077bd13852703df55c9185fa27bdd7defa9dce9a810ddf3c7751c64

            SHA512

            140dfabdbe289ee6df5319a73e94c44e96f5a4aff07cb173a45bfe3466c1f26503c3aa5f23e8999a123673c893563177d1e8247d69b4b2fad3c672052cabb17b

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-7
            Filesize

            52KB

            MD5

            dc62bb2dac17453dd9356923780c0115

            SHA1

            dc1ba5eab540eed3d1020b81fc19aebc31a3b040

            SHA256

            d6330ace7072197e4c71e574bf9dcae932f9b65e452d5814a02b8ed55d9206e5

            SHA512

            87042702b8d4e22c8a362bc637aea944b7a45b947656ba295ff381517be58f9e04348b77ff797ae0f9bbda8bfd958879f65535d75a276dd0a20495af12a351e5

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\85-32
            Filesize

            6KB

            MD5

            36ffffbb2dcbacac1ce1f666b6dc46be

            SHA1

            ca7f1d4d489dfab21fb9b926601b66a5f5b05dcc

            SHA256

            1dd59f2a8795aab941c2195be74ed9c91b9a2e182db92cdf95479e504d2be7d5

            SHA512

            2072f94e5ee8234fb4e75a5c4742a8bcf74de34de93c30dacb74fd6b44baaecad45b90c6394171cae3158db86f479bf1ce92e4de35e8c35e62441e27fbf11901

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T
            Filesize

            676KB

            MD5

            13bf07e459a6f2e594da96834a5bccd4

            SHA1

            d52c69844327c3a11fe51c2c682f428a4e526c9b

            SHA256

            673b801bad16732e02e91ced7867f6fc4c26b113539800c69fcd2af846710214

            SHA512

            edf3eaa1c4bf00a61a5f745036321d45a4440b2057129f6a452b11de761c43d9ca9505e779a91dff5cab4f86b98886f4b7c1a809512891c9039da02805eeef43

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • \Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
            Filesize

            910KB

            MD5

            6044ba604bb80aa7d9ad6dbfd9cadaca

            SHA1

            8cc61cc5c9e5c1d038cee584bb61078fec757ada

            SHA256

            9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

            SHA512

            ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

            Download Submit
          • memory/552-60-0x0000000000000000-mapping.dmp
            Download
          • memory/764-76-0x0000000000000000-mapping.dmp
            Download
          • memory/872-56-0x0000000000000000-mapping.dmp
            Download
          • memory/872-57-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1068-55-0x0000000000000000-mapping.dmp
            Download
          • memory/1216-54-0x0000000000000000-mapping.dmp
            Download
          • memory/1304-69-0x0000000000000000-mapping.dmp
            Download
          • memory/1400-61-0x0000000000000000-mapping.dmp
            Download
          • memory/1436-65-0x0000000000000000-mapping.dmp
            Download
          • memory/1448-72-0x0000000000000000-mapping.dmp
            Download
          • memory/1484-81-0x0000000000080000-0x000000000008F000-memory.dmp
            Filesize

            60KB

            Download
          • memory/1484-83-0x0000000000080000-0x000000000008F000-memory.dmp
            Filesize

            60KB

            Download
          • memory/1484-86-0x0000000000080000-0x000000000008F000-memory.dmp
            Filesize

            60KB

            Download
          • memory/1632-88-0x0000000000082E90-mapping.dmp
            Download
          • memory/1632-90-0x00000000748D1000-0x00000000748D3000-memory.dmp
            Filesize

            8KB

            Download
          • memory/1764-62-0x0000000000000000-mapping.dmp
            Download
          • memory/1928-63-0x0000000000000000-mapping.dmp
            Download