Analysis
-
max time kernel
121s -
max time network
165s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 02:08
Static task
static1
Behavioral task
behavioral1
Sample
RCRFQ-FEMS(HKL)2024024.PDF.scr
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RCRFQ-FEMS(HKL)2024024.PDF.scr
Resource
win10v2004-20240802-en
General
-
Target
RCRFQ-FEMS(HKL)2024024.PDF.scr
-
Size
695KB
-
MD5
f3094a481b9ccfb22a1cfed698b898c1
-
SHA1
045e024f21dd5ce4b2816ab387b1581da0e3b100
-
SHA256
6cb3801298e866cd728d92c70e20130f3149b7b7e9ab892c77f50503647380d1
-
SHA512
1b5910c06d1089d422c7de6d32c751e898007946a51028d914cce876724221bb0e451c7acc0071196ca802659678e19809a8595fb183d56922e0ec0d4a83b3a8
-
SSDEEP
12288:aVVxz9wxQPVSlYoNzf5sDqlGdbEHyCl9Qzq4ldie+Yu:sxz9czlYoNrTglE/Htyx+Y
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7371892501:AAE6c_q-yLsVj82ZZEmMuRlQtTm95MBjCz0/sendMessage?chat_id=6750192797
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2732 set thread context of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RCRFQ-FEMS(HKL)2024024.PDF.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 2700 RegSvcs.exe 2700 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr Token: SeDebugPrivilege 2700 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 PID 2732 wrote to memory of 2700 2732 RCRFQ-FEMS(HKL)2024024.PDF.scr 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RCRFQ-FEMS(HKL)2024024.PDF.scr"C:\Users\Admin\AppData\Local\Temp\RCRFQ-FEMS(HKL)2024024.PDF.scr" /S1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2700
-