Analysis

  • max time kernel
    16s
  • max time network
    82s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 07:18

General

  • Target

    DHL Shipping Document_308-4716.exe

  • Size

    731KB

  • MD5

    6f0e87c46e12499672ae0402ff8a991e

  • SHA1

    63c8801cf96ee9999241b28f101d15da7c4d4b16

  • SHA256

    238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00

  • SHA512

    8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31

  • SSDEEP

    12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2772
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\saDJdmcz.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\saDJdmcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1075.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3012
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2628
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 968
        3⤵
        • Program crash
        PID:2052

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp1075.tmp

          Filesize

          1KB

          MD5

          ebec6fe2af77910c4d1a2383614980a1

          SHA1

          5e037897cadbb3013126ccac14e14a0698a48251

          SHA256

          5b9a1c4482f97fefbc44a9aefec98717f22ba055862a03321dbd32fa202d3dea

          SHA512

          9bdced5c86d6e7917583a08a3e76d1a7432c9911904c8cd2056d86cc87eacfef967c42d8ed080d30fb0f6afd5a061f662218f4b098ad5cf9438cf6c98e08773e

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G3148K6GM8UOZ94HISXY.temp

          Filesize

          7KB

          MD5

          dc60536b66cb861f8444486d4b7353a8

          SHA1

          3b6a83e34a09f03400d4b4cc6f96b24e5572a42f

          SHA256

          3d761e448b33e993e012b89dadac0cfbcc6f749e1c8ee0f8cd5a9c3e2e381ed2

          SHA512

          03d99948f13afeb69999fa3cd42a3e3bda9cd7ae5abb934e8908d6a864b80db610ba3f7992fdb0012daebccc206e88ca2e87c36dc7d460060302af80abfed924

        • memory/1976-4-0x0000000074B00000-0x00000000751EE000-memory.dmp

          Filesize

          6.9MB

        • memory/1976-3-0x00000000003B0000-0x00000000003CA000-memory.dmp

          Filesize

          104KB

        • memory/1976-0-0x0000000074B0E000-0x0000000074B0F000-memory.dmp

          Filesize

          4KB

        • memory/1976-5-0x0000000000570000-0x000000000057C000-memory.dmp

          Filesize

          48KB

        • memory/1976-6-0x0000000000580000-0x0000000000590000-memory.dmp

          Filesize

          64KB

        • memory/1976-7-0x0000000004CF0000-0x0000000004D7C000-memory.dmp

          Filesize

          560KB

        • memory/1976-2-0x0000000074B00000-0x00000000751EE000-memory.dmp

          Filesize

          6.9MB

        • memory/1976-1-0x00000000008D0000-0x000000000098E000-memory.dmp

          Filesize

          760KB

        • memory/1976-32-0x0000000074B00000-0x00000000751EE000-memory.dmp

          Filesize

          6.9MB

        • memory/2628-31-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-30-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-29-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

          Filesize

          4KB

        • memory/2628-26-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-22-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-24-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB

        • memory/2628-20-0x0000000000400000-0x0000000000448000-memory.dmp

          Filesize

          288KB