Analysis
-
max time kernel
134s -
max time network
111s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 06:59
Static task
static1
Behavioral task
behavioral1
Sample
New PO pdf.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
New PO pdf.exe
Resource
win10v2004-20240802-en
General
-
Target
New PO pdf.exe
-
Size
2.4MB
-
MD5
39d11d745478344b55a144218834f6b5
-
SHA1
851e888d46735859f49872013354d27b5129b9b2
-
SHA256
824f7a0f807faa6c6f1eec5f58291e9671a0f408595778bd699845b2656207ee
-
SHA512
7ff11910b1fa3537fc8ec0e98ad7d081323a974dece55413431d1ec37aa5b1c959ddea39b02a8c7192df2856fa2d8353d919baefcefc76a5dc9bb31ee0654482
-
SSDEEP
49152:5I/0Xh92X3FAOkoQgcK1/eVBOHpwIf0bOtW1sLjSfgcuBYp:aO2X33DLp98bObL2yup
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ingermint.com - Port:
587 - Username:
[email protected] - Password:
yhMgQqK2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ingermint.com - Port:
587 - Username:
[email protected] - Password:
yhMgQqK2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 936 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation New PO pdf.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4800 set thread context of 4700 4800 New PO pdf.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 936 powershell.exe 936 powershell.exe 4700 installutil.exe 4700 installutil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4800 New PO pdf.exe Token: SeDebugPrivilege 936 powershell.exe Token: SeDebugPrivilege 4700 installutil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4800 wrote to memory of 936 4800 New PO pdf.exe 85 PID 4800 wrote to memory of 936 4800 New PO pdf.exe 85 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 PID 4800 wrote to memory of 4700 4800 New PO pdf.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 installutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\New PO pdf.exe"C:\Users\Admin\AppData\Local\Temp\New PO pdf.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath $env:UserProfile2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4700
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82