Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping Document_308-4716.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
DHL Shipping Document_308-4716.exe
Resource
win10v2004-20240802-en
General
-
Target
DHL Shipping Document_308-4716.exe
-
Size
731KB
-
MD5
6f0e87c46e12499672ae0402ff8a991e
-
SHA1
63c8801cf96ee9999241b28f101d15da7c4d4b16
-
SHA256
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00
-
SHA512
8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31
-
SSDEEP
12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2836 powershell.exe 2616 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2672 set thread context of 2212 2672 DHL Shipping Document_308-4716.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Shipping Document_308-4716.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2672 DHL Shipping Document_308-4716.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 324 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2672 DHL Shipping Document_308-4716.exe 2672 DHL Shipping Document_308-4716.exe 2672 DHL Shipping Document_308-4716.exe 2836 powershell.exe 2616 powershell.exe 2672 DHL Shipping Document_308-4716.exe 2212 MSBuild.exe 2212 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2672 DHL Shipping Document_308-4716.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 2616 powershell.exe Token: SeDebugPrivilege 2212 MSBuild.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2836 2672 DHL Shipping Document_308-4716.exe 30 PID 2672 wrote to memory of 2836 2672 DHL Shipping Document_308-4716.exe 30 PID 2672 wrote to memory of 2836 2672 DHL Shipping Document_308-4716.exe 30 PID 2672 wrote to memory of 2836 2672 DHL Shipping Document_308-4716.exe 30 PID 2672 wrote to memory of 2616 2672 DHL Shipping Document_308-4716.exe 32 PID 2672 wrote to memory of 2616 2672 DHL Shipping Document_308-4716.exe 32 PID 2672 wrote to memory of 2616 2672 DHL Shipping Document_308-4716.exe 32 PID 2672 wrote to memory of 2616 2672 DHL Shipping Document_308-4716.exe 32 PID 2672 wrote to memory of 324 2672 DHL Shipping Document_308-4716.exe 34 PID 2672 wrote to memory of 324 2672 DHL Shipping Document_308-4716.exe 34 PID 2672 wrote to memory of 324 2672 DHL Shipping Document_308-4716.exe 34 PID 2672 wrote to memory of 324 2672 DHL Shipping Document_308-4716.exe 34 PID 2672 wrote to memory of 2088 2672 DHL Shipping Document_308-4716.exe 36 PID 2672 wrote to memory of 2088 2672 DHL Shipping Document_308-4716.exe 36 PID 2672 wrote to memory of 2088 2672 DHL Shipping Document_308-4716.exe 36 PID 2672 wrote to memory of 2088 2672 DHL Shipping Document_308-4716.exe 36 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 PID 2672 wrote to memory of 2212 2672 DHL Shipping Document_308-4716.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\saDJdmcz.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\saDJdmcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:324
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2088
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fefa16fdeffbd42b2d0f216102c9fc86
SHA148a793b1720705e313d2a2810341306f12308ca8
SHA25646694d9c715661f0d2f04c9b62e1d3fb0fefb0830d115d3c07cce56e9e96f393
SHA5124d4adc98b394ea7b587917acf7d9d6fc5a7b82c7759fb51698dd49552acd6de65bbf60697dc7c27e49b2bd56696b976c3a3fb988908cd524bda3d2c48f134d51
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD51a5c1876a05cd01b7bb0a09b20ee42b1
SHA13c02b08fbe824a468499250d43d5798494af07f3
SHA2564ad6626ff193564e3b47919f85dfc212edc56a9304fdb5e7280a4a33b2dbe46f
SHA5120a66f418ace91c2bfccd4e702fe4c6c1c500606c9e455c48f354477d357dd4d910162e6404dc704721b21ac07a339ff3ea0050dae8c0c21edbf7741040da5f1e