Analysis
-
max time kernel
16s -
max time network
82s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
DHL Shipping Document_308-4716.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
DHL Shipping Document_308-4716.exe
Resource
win10v2004-20240802-en
General
-
Target
DHL Shipping Document_308-4716.exe
-
Size
731KB
-
MD5
6f0e87c46e12499672ae0402ff8a991e
-
SHA1
63c8801cf96ee9999241b28f101d15da7c4d4b16
-
SHA256
238b48a0994b2bd9e86d0670a02b6c6f7adde932512641b91165c3a489784d00
-
SHA512
8d10d8d525886090e5578989d975bbf8f01269adde1a52fb97e5464388bff0fcc041e4b6b52f36e10304d41e6d4575352d5b4085795315d936088eff51396f31
-
SSDEEP
12288:MWelGoL3rlW4/iTgHhwlL7tlD5+eEv6S6EsUISMJDNw++wA6SS9/rH0os+/EskMj:oTvTiTgHq5+eEB6ELdMBSD6SSZH0n3j
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7514635603:AAFnm0liZNrDoyZysE6fl63uCfuqFuaKPug/sendMessage?chat_id=5116181161
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2772 powershell.exe 2724 powershell.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1976 set thread context of 2628 1976 DHL Shipping Document_308-4716.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2052 2628 WerFault.exe 36 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DHL Shipping Document_308-4716.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1976 DHL Shipping Document_308-4716.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3012 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 1976 DHL Shipping Document_308-4716.exe 1976 DHL Shipping Document_308-4716.exe 2628 MSBuild.exe 2724 powershell.exe 2772 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1976 DHL Shipping Document_308-4716.exe Token: SeDebugPrivilege 2628 MSBuild.exe Token: SeDebugPrivilege 2724 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2772 1976 DHL Shipping Document_308-4716.exe 30 PID 1976 wrote to memory of 2772 1976 DHL Shipping Document_308-4716.exe 30 PID 1976 wrote to memory of 2772 1976 DHL Shipping Document_308-4716.exe 30 PID 1976 wrote to memory of 2772 1976 DHL Shipping Document_308-4716.exe 30 PID 1976 wrote to memory of 2724 1976 DHL Shipping Document_308-4716.exe 32 PID 1976 wrote to memory of 2724 1976 DHL Shipping Document_308-4716.exe 32 PID 1976 wrote to memory of 2724 1976 DHL Shipping Document_308-4716.exe 32 PID 1976 wrote to memory of 2724 1976 DHL Shipping Document_308-4716.exe 32 PID 1976 wrote to memory of 3012 1976 DHL Shipping Document_308-4716.exe 33 PID 1976 wrote to memory of 3012 1976 DHL Shipping Document_308-4716.exe 33 PID 1976 wrote to memory of 3012 1976 DHL Shipping Document_308-4716.exe 33 PID 1976 wrote to memory of 3012 1976 DHL Shipping Document_308-4716.exe 33 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 1976 wrote to memory of 2628 1976 DHL Shipping Document_308-4716.exe 36 PID 2628 wrote to memory of 2052 2628 MSBuild.exe 37 PID 2628 wrote to memory of 2052 2628 MSBuild.exe 37 PID 2628 wrote to memory of 2052 2628 MSBuild.exe 37 PID 2628 wrote to memory of 2052 2628 MSBuild.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Shipping Document_308-4716.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\saDJdmcz.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\saDJdmcz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1075.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:3012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2628 -s 9683⤵
- Program crash
PID:2052
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ebec6fe2af77910c4d1a2383614980a1
SHA15e037897cadbb3013126ccac14e14a0698a48251
SHA2565b9a1c4482f97fefbc44a9aefec98717f22ba055862a03321dbd32fa202d3dea
SHA5129bdced5c86d6e7917583a08a3e76d1a7432c9911904c8cd2056d86cc87eacfef967c42d8ed080d30fb0f6afd5a061f662218f4b098ad5cf9438cf6c98e08773e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G3148K6GM8UOZ94HISXY.temp
Filesize7KB
MD5dc60536b66cb861f8444486d4b7353a8
SHA13b6a83e34a09f03400d4b4cc6f96b24e5572a42f
SHA2563d761e448b33e993e012b89dadac0cfbcc6f749e1c8ee0f8cd5a9c3e2e381ed2
SHA51203d99948f13afeb69999fa3cd42a3e3bda9cd7ae5abb934e8908d6a864b80db610ba3f7992fdb0012daebccc206e88ca2e87c36dc7d460060302af80abfed924