Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/09/2024, 13:21

General

  • Target

    ORY987650090.exe

  • Size

    786KB

  • MD5

    0775df6f175b9e95b8a56fdfd22df1c2

  • SHA1

    c417f98d67f4ee9753e03ecf90c987fa9f0a10e2

  • SHA256

    29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0

  • SHA512

    33fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9

  • SSDEEP

    12288:ksHzOUNUSB/o5LsI1uwajJ5yvv1l2121VEJbB5dbyPiMWpfzi+Ttvw:HiUmSB/o5d1ubcvs2bMbgVWtrZw

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe
    "C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Users\Admin\AppData\Local\Bohmerwald\Maianthemum.exe
      "C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2776
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\savager

    Filesize

    144KB

    MD5

    8563c2c430e0d615b0d99618d6098001

    SHA1

    d3978e5153ca2b2c7cebbea02b4e1757a83ff8fe

    SHA256

    ef4a06f6fe92c9724b4f1c8e66200d951f049a4835c80c8311d7b268749651f4

    SHA512

    ae8e4b57b35ef065b197c69a9dde2ec9ada0beb720fa721189dd228fe897613daabca6797e501c21980878c27894d909ead34492d814087ad6a473f24ecba26c

  • \Users\Admin\AppData\Local\Bohmerwald\Maianthemum.exe

    Filesize

    786KB

    MD5

    0775df6f175b9e95b8a56fdfd22df1c2

    SHA1

    c417f98d67f4ee9753e03ecf90c987fa9f0a10e2

    SHA256

    29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0

    SHA512

    33fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9

  • memory/2576-48-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2576-47-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

  • memory/2576-46-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2576-44-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2576-49-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2576-37-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2576-35-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2576-45-0x0000000000BE0000-0x0000000000C2E000-memory.dmp

    Filesize

    312KB

  • memory/2576-40-0x0000000000400000-0x0000000000437000-memory.dmp

    Filesize

    220KB

  • memory/2576-41-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

  • memory/2576-42-0x0000000000680000-0x00000000006D0000-memory.dmp

    Filesize

    320KB

  • memory/2576-43-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

  • memory/2648-16-0x0000000002C70000-0x0000000002E25000-memory.dmp

    Filesize

    1.7MB

  • memory/2648-0-0x00000000013E0000-0x0000000001595000-memory.dmp

    Filesize

    1.7MB

  • memory/2648-19-0x00000000013E0000-0x0000000001595000-memory.dmp

    Filesize

    1.7MB

  • memory/2648-11-0x00000000000F0000-0x00000000000F4000-memory.dmp

    Filesize

    16KB

  • memory/2776-39-0x0000000000DB0000-0x0000000000F65000-memory.dmp

    Filesize

    1.7MB

  • memory/2776-20-0x0000000000DB0000-0x0000000000F65000-memory.dmp

    Filesize

    1.7MB