Analysis
-
max time kernel
138s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/08/2024, 13:09
Static task
static1
Behavioral task
behavioral1
Sample
QUOTATIONAUGQTRA071244PDF.scr.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
QUOTATIONAUGQTRA071244PDF.scr.exe
Resource
win10v2004-20240802-en
General
-
Target
QUOTATIONAUGQTRA071244PDF.scr.exe
-
Size
372KB
-
MD5
6badc2be7c289a2e7d0b017e3355b119
-
SHA1
a89325b9422957a9a9e539a9caad520ce4b1fc7d
-
SHA256
44cd4f6ebd5c40c71b72c4c9ae46838d778637eb70db082592bb7ccbeca4f47f
-
SHA512
8449f332c331da6aea103d97ed67a9c5b84ffaeaad1a104298fce39ec74bef89830e19945ddac8a7c421cd82de1651ba8594d752ceb389c9251c622a5f9217fe
-
SSDEEP
768:pYbN2A1nG9nyAWkaHRQTwdYF4H4447iiL1a:E2A1n4yAWNHRUmYF4H444la
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
investms.vadavo.cloud - Port:
587 - Username:
[email protected] - Password:
J@GnVg+k%NDodkS#6mY - Email To:
[email protected]
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 2096 created 3444 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 56 -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 checkip.dyndns.org -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 4848 aspnet_compiler.exe 4848 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2096 QUOTATIONAUGQTRA071244PDF.scr.exe Token: SeDebugPrivilege 2096 QUOTATIONAUGQTRA071244PDF.scr.exe Token: SeDebugPrivilege 4848 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2096 wrote to memory of 4848 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 97 PID 2096 wrote to memory of 4848 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 97 PID 2096 wrote to memory of 4848 2096 QUOTATIONAUGQTRA071244PDF.scr.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aspnet_compiler.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATIONAUGQTRA071244PDF.scr.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4848
-