vkeylogger | 7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe

Analysis

max time kernel
124s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
26-03-2022 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe
Size

5.5MB
MD5

029234355ca1ab689186c8795602854a
SHA1

d568d0eefc1367d30429c3d26f82c4dd61821d02
SHA256

7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe
SHA512

4bf5ea4251c2090d33ef97aeb8abfb0ea84ead9dcf16b4b4151ce865204fda4bd130e849bf20a2f58cf49d09842053cd1d865bcdb945764736515e8a6e252bbc

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1484-151-0x0000000001420000-0x000000000142F000-memory.dmp	family_vkeylogger
behavioral2/memory/1484-154-0x0000000001420000-0x000000000142F000-memory.dmp	family_vkeylogger

Executes dropped EXE 3 IoCs

pid	Process
4404	dllhost.com
3568	dllhost.com
1484	dllhost.com

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsStartmemt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\dllhost.com"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Santa = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3568 set thread context of 1484	3568	dllhost.com	103
PID 1484 set thread context of 1000	1484	dllhost.com	104

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
1672	tasklist.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
2796	PING.EXE
4412	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com
3568	dllhost.com

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1484	dllhost.com
1000	explorer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1672	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1000	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1000	explorer.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 4100	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	79
PID 4004 wrote to memory of 4100	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	79
PID 4004 wrote to memory of 4100	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	79
PID 4004 wrote to memory of 396	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	81
PID 4004 wrote to memory of 396	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	81
PID 4004 wrote to memory of 396	4004	7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe	81
PID 396 wrote to memory of 1268	396	cmd.exe	83
PID 396 wrote to memory of 1268	396	cmd.exe	83
PID 396 wrote to memory of 1268	396	cmd.exe	83
PID 396 wrote to memory of 1576	396	cmd.exe	84
PID 396 wrote to memory of 1576	396	cmd.exe	84
PID 396 wrote to memory of 1576	396	cmd.exe	84
PID 1576 wrote to memory of 1672	1576	cmd.exe	85
PID 1576 wrote to memory of 1672	1576	cmd.exe	85
PID 1576 wrote to memory of 1672	1576	cmd.exe	85
PID 1576 wrote to memory of 1832	1576	cmd.exe	86
PID 1576 wrote to memory of 1832	1576	cmd.exe	86
PID 1576 wrote to memory of 1832	1576	cmd.exe	86
PID 1576 wrote to memory of 2796	1576	cmd.exe	88
PID 1576 wrote to memory of 2796	1576	cmd.exe	88
PID 1576 wrote to memory of 2796	1576	cmd.exe	88
PID 1576 wrote to memory of 2996	1576	cmd.exe	89
PID 1576 wrote to memory of 2996	1576	cmd.exe	89
PID 1576 wrote to memory of 2996	1576	cmd.exe	89
PID 1576 wrote to memory of 4404	1576	cmd.exe	90
PID 1576 wrote to memory of 4404	1576	cmd.exe	90
PID 1576 wrote to memory of 4404	1576	cmd.exe	90
PID 1576 wrote to memory of 4412	1576	cmd.exe	91
PID 1576 wrote to memory of 4412	1576	cmd.exe	91
PID 1576 wrote to memory of 4412	1576	cmd.exe	91
PID 4404 wrote to memory of 3568	4404	dllhost.com	92
PID 4404 wrote to memory of 3568	4404	dllhost.com	92
PID 4404 wrote to memory of 3568	4404	dllhost.com	92
PID 3568 wrote to memory of 1484	3568	dllhost.com	103
PID 3568 wrote to memory of 1484	3568	dllhost.com	103
PID 3568 wrote to memory of 1484	3568	dllhost.com	103
PID 3568 wrote to memory of 1484	3568	dllhost.com	103
PID 3568 wrote to memory of 1484	3568	dllhost.com	103
PID 1484 wrote to memory of 1000	1484	dllhost.com	104
PID 1484 wrote to memory of 1000	1484	dllhost.com	104
PID 1484 wrote to memory of 1000	1484	dllhost.com	104

C:\Users\Admin\AppData\Local\Temp\7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe
"C:\Users\Admin\AppData\Local\Temp\7ba62b0e57cade7dcf5251b53759e93525c6f37d107ef506dcf9c4eec3fd2ffe.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd /c QxfDpS
  2⤵
  PID:4100
- C:\Windows\SysWOW64\cmd.exe
  cmd /c certutil -decode 85-32 50-91 & cmd < 50-91
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\SysWOW64\certutil.exe
    certutil -decode 85-32 50-91
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "IMAGENAME eq srvpost.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "srvpost.exe"
      4⤵
      PID:1832
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 zpbTWPYwB.zpbTWPYwB
      4⤵
      Runs ping.exe
      PID:2796
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode 3-31 T
      4⤵
      PID:2996
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
      dllhost.com T
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com T
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3568
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:1484
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        7⤵
        Adds Run key to start application
        Suspicious behavior: MapViewOfSection
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        
        PID:1000
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3-31

Filesize
931KB

MD5
86bc1d0fbee53b193deb1f2e471ebc9f

SHA1
77cf011c0a89a8b663d9862ba29fbd41cbe97f16

SHA256
653fbda407adeb1016be457df92742510473c42dc7a586b8064b6187d7baac9c

SHA512
d2fa7f74388157bc2901418af9bfa884eda31bd48da99133f1c50817df3733ec89e02a05e3f1c16db45f8bd99cbb286fe17d698adebbb74225904377d62f3eee

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\50-91

Filesize
4KB

MD5
2ff1c52353b2985dcac4364cdc3914ad

SHA1
92f4349bb063da88b05d56a204af88e48f8242a9

SHA256
f5e645a7166a5feb796475fdd85459dc8ef6f683868e258b848a670cd7093eab

SHA512
f03e21f251277740c1ca963831d4c97d652d6c768a8c83c45229deb477e74f04778c26af04737ae19c73bbbde2279f4e805b46c6bad128849d779daa6a59267c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\59-97

Filesize
909KB

MD5
7b573c98b3fd01b8dc83da2710f9ef53

SHA1
9dc46d49571ffa5fb70c87ac2aef11b4030146e3

SHA256
dce1ce863077bd13852703df55c9185fa27bdd7defa9dce9a810ddf3c7751c64

SHA512
140dfabdbe289ee6df5319a73e94c44e96f5a4aff07cb173a45bfe3466c1f26503c3aa5f23e8999a123673c893563177d1e8247d69b4b2fad3c672052cabb17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\7-7

Filesize
52KB

MD5
dc62bb2dac17453dd9356923780c0115

SHA1
dc1ba5eab540eed3d1020b81fc19aebc31a3b040

SHA256
d6330ace7072197e4c71e574bf9dcae932f9b65e452d5814a02b8ed55d9206e5

SHA512
87042702b8d4e22c8a362bc637aea944b7a45b947656ba295ff381517be58f9e04348b77ff797ae0f9bbda8bfd958879f65535d75a276dd0a20495af12a351e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\85-32

Filesize
6KB

MD5
36ffffbb2dcbacac1ce1f666b6dc46be

SHA1
ca7f1d4d489dfab21fb9b926601b66a5f5b05dcc

SHA256
1dd59f2a8795aab941c2195be74ed9c91b9a2e182db92cdf95479e504d2be7d5

SHA512
2072f94e5ee8234fb4e75a5c4742a8bcf74de34de93c30dacb74fd6b44baaecad45b90c6394171cae3158db86f479bf1ce92e4de35e8c35e62441e27fbf11901

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\T

Filesize
676KB

MD5
13bf07e459a6f2e594da96834a5bccd4

SHA1
d52c69844327c3a11fe51c2c682f428a4e526c9b

SHA256
673b801bad16732e02e91ced7867f6fc4c26b113539800c69fcd2af846710214

SHA512
edf3eaa1c4bf00a61a5f745036321d45a4440b2057129f6a452b11de761c43d9ca9505e779a91dff5cab4f86b98886f4b7c1a809512891c9039da02805eeef43

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com

Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com

Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com

Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dllhost.com

Filesize
910KB

MD5
6044ba604bb80aa7d9ad6dbfd9cadaca

SHA1
8cc61cc5c9e5c1d038cee584bb61078fec757ada

SHA256
9e3036d12cda6931dfb6c658587bec8bdb87249e1bf390f28acd4de2bf1f86f0

SHA512
ef128d4364fbf85d4ca69975cb0b3a753988610308e0da46589a01f64df4b139e71ff38264d6b77866ca68d7e9193d1a249b68fc5a68b5ac8e7aba18b87b691d

Download Submit
memory/1484-151-0x0000000001420000-0x000000000142F000-memory.dmp

Filesize
60KB

Download
memory/1484-154-0x0000000001420000-0x000000000142F000-memory.dmp

Filesize
60KB

Download