Analysis

  • max time kernel
    121s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 07:16

General

  • Target

    DHL Shipping Document_308-4716.exe

  • Size

    731KB

  • MD5

    6f0e87c46e12499672ae0402ff8a991e

  • SHA1

    63c8801cf96ee9999241b28f101d15da7c4d4b16

  • SHA256

    238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00

  • SHA512

    8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31

  • SSDEEP

    12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\saDJdmcz.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\saDJdmcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:324
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:2088
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2212

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp57C1.tmp

            Filesize

            1KB

            MD5

            fefa16fdeffbd42b2d0f216102c9fc86

            SHA1

            48a793b1720705e313d2a2810341306f12308ca8

            SHA256

            46694d9c715661f0d2f04c9b62e1d3fb0fefb0830d115d3c07cce56e9e96f393

            SHA512

            4d4adc98b394ea7b587917acf7d9d6fc5a7b82c7759fb51698dd49552acd6de65bbf60697dc7c27e49b2bd56696b976c3a3fb988908cd524bda3d2c48f134d51

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

            Filesize

            7KB

            MD5

            1a5c1876a05cd01b7bb0a09b20ee42b1

            SHA1

            3c02b08fbe824a468499250d43d5798494af07f3

            SHA256

            4ad6626ff193564e3b47919f85dfc212edc56a9304fdb5e7280a4a33b2dbe46f

            SHA512

            0a66f418ace91c2bfccd4e702fe4c6c1c500606c9e455c48f354477d357dd4d910162e6404dc704721b21ac07a339ff3ea0050dae8c0c21edbf7741040da5f1e

          • memory/2212-21-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-33-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-29-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

            Filesize

            4KB

          • memory/2212-30-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-31-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-23-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-25-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2212-27-0x0000000000400000-0x0000000000448000-memory.dmp

            Filesize

            288KB

          • memory/2672-7-0x00000000004A0000-0x00000000004B0000-memory.dmp

            Filesize

            64KB

          • memory/2672-1-0x00000000009F0000-0x0000000000AAE000-memory.dmp

            Filesize

            760KB

          • memory/2672-2-0x00000000743C0000-0x0000000074AAE000-memory.dmp

            Filesize

            6.9MB

          • memory/2672-8-0x0000000005B30000-0x0000000005BBC000-memory.dmp

            Filesize

            560KB

          • memory/2672-3-0x0000000000580000-0x000000000059A000-memory.dmp

            Filesize

            104KB

          • memory/2672-0-0x00000000743CE000-0x00000000743CF000-memory.dmp

            Filesize

            4KB

          • memory/2672-6-0x0000000000450000-0x000000000045C000-memory.dmp

            Filesize

            48KB

          • memory/2672-5-0x00000000743C0000-0x0000000074AAE000-memory.dmp

            Filesize

            6.9MB

          • memory/2672-4-0x00000000743CE000-0x00000000743CF000-memory.dmp

            Filesize

            4KB

          • memory/2672-34-0x00000000743C0000-0x0000000074AAE000-memory.dmp

            Filesize

            6.9MB