Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
Resource
win10v2004-20240802-en
General
-
Target
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs
-
Size
9KB
-
MD5
3f7809903fc3c0a98fcc472cab51af8b
-
SHA1
5028ee708574247249a8f9c77e6056e5e8265626
-
SHA256
ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396
-
SHA512
b45cfa3e08872f6856b98665018b0e53504894570a9f8168d2cf391bbc1d9ccb04f6052954a6364d7543e5b80e096e42ffa5ff331c9b8bb06a1a327c82a5bb3a
-
SSDEEP
24:35sNhG5sFKhG5sJ9hWOsNh3sf/syoWo+pJjx/LT1DuOsFKh3sf/syoWo+SxLeDuA:fLTY4twXbb5+eBAB6bubs
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
lyao lcfc jjdk kszy - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 3 3616 WScript.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WScript.exe Key value queried \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation WScript.exe -
Executes dropped EXE 2 IoCs
pid Process 4340 etBlpvr.exe 2244 etBlpvr.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etBlpvr.exe" etBlpvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Service.exe" etBlpvr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4340 set thread context of 2244 4340 etBlpvr.exe 97 -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etBlpvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language etBlpvr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2244 etBlpvr.exe 2244 etBlpvr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2244 etBlpvr.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 3616 wrote to memory of 3136 3616 WScript.exe 95 PID 3616 wrote to memory of 3136 3616 WScript.exe 95 PID 3136 wrote to memory of 4340 3136 WScript.exe 96 PID 3136 wrote to memory of 4340 3136 WScript.exe 96 PID 3136 wrote to memory of 4340 3136 WScript.exe 96 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 PID 4340 wrote to memory of 2244 4340 etBlpvr.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 etBlpvr.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ac79fa50576f1fc0ccd6305179fa9eb82cc5fec8710731dbae0f94424e34e396.vbs"1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\TMYEEL.js"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340 -
C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"C:\Users\Admin\AppData\Local\Temp\etBlpvr.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
520B
MD503febbff58da1d3318c31657d89c8542
SHA1c9e017bd9d0a4fe533795b227c855935d86c2092
SHA2565164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA5123750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3
-
Filesize
7.4MB
MD5525c63b84040438a926c03de51181f31
SHA1fdf795b7188832cb229ca444aa77c518b989715e
SHA2565b194105df980d66491cfd936a281a50960e329bbced39a007a3cf004387027d
SHA512b9dd0eb9429ba7df2ce89283a914a03a0d55ec8bac5a5dc42a85572f86e9a28cd6487a8ab781a7abd7eb3086ae9481b6f884055d04fadc5cdd697317a7735002
-
Filesize
287KB
MD53a8eb21f2c8267b9c95008be2699d74e
SHA1c6ed2e44b0ee1ac2cfcdd399e19ef5702a79e1d6
SHA25610355924cb01387c2e5a9f33190f6b614433295d263c4917ec8c6a2b46c380ef
SHA5129673af2ad11ce600af090bbf4ccb35bd4e5bc4ff3846a50b3bec14703466ffaf020e80404e39ea7124ddcebcd15bee261376d014e3e4ec48eb9891d01e87c713