Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 13:21
Behavioral task
behavioral1
Sample
ORY987650090.exe
Resource
win7-20240903-en
General
-
Target
ORY987650090.exe
-
Size
786KB
-
MD5
0775df6f175b9e95b8a56fdfd22df1c2
-
SHA1
c417f98d67f4ee9753e03ecf90c987fa9f0a10e2
-
SHA256
29205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
-
SHA512
33fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9
-
SSDEEP
12288:ksHzOUNUSB/o5LsI1uwajJ5yvv1l2121VEJbB5dbyPiMWpfzi+Ttvw:HiUmSB/o5d1ubcvs2bMbgVWtrZw
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Maianthemum.vbs Maianthemum.exe -
Executes dropped EXE 1 IoCs
pid Process 2776 Maianthemum.exe -
Loads dropped DLL 1 IoCs
pid Process 2648 ORY987650090.exe -
resource yara_rule behavioral1/memory/2648-0-0x00000000013E0000-0x0000000001595000-memory.dmp upx behavioral1/files/0x0008000000017472-13.dat upx behavioral1/memory/2776-20-0x0000000000DB0000-0x0000000000F65000-memory.dmp upx behavioral1/memory/2648-19-0x00000000013E0000-0x0000000001595000-memory.dmp upx behavioral1/memory/2648-16-0x0000000002C70000-0x0000000002E25000-memory.dmp upx behavioral1/memory/2776-39-0x0000000000DB0000-0x0000000000F65000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 checkip.dyndns.org -
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2776-20-0x0000000000DB0000-0x0000000000F65000-memory.dmp autoit_exe behavioral1/memory/2648-19-0x00000000013E0000-0x0000000001595000-memory.dmp autoit_exe behavioral1/memory/2776-39-0x0000000000DB0000-0x0000000000F65000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2776 set thread context of 2576 2776 Maianthemum.exe 31 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ORY987650090.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maianthemum.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2576 svchost.exe 2576 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2776 Maianthemum.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2576 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2648 ORY987650090.exe 2648 ORY987650090.exe 2776 Maianthemum.exe 2776 Maianthemum.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2648 ORY987650090.exe 2648 ORY987650090.exe 2776 Maianthemum.exe 2776 Maianthemum.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2776 2648 ORY987650090.exe 30 PID 2648 wrote to memory of 2776 2648 ORY987650090.exe 30 PID 2648 wrote to memory of 2776 2648 ORY987650090.exe 30 PID 2648 wrote to memory of 2776 2648 ORY987650090.exe 30 PID 2776 wrote to memory of 2576 2776 Maianthemum.exe 31 PID 2776 wrote to memory of 2576 2776 Maianthemum.exe 31 PID 2776 wrote to memory of 2576 2776 Maianthemum.exe 31 PID 2776 wrote to memory of 2576 2776 Maianthemum.exe 31 PID 2776 wrote to memory of 2576 2776 Maianthemum.exe 31 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Users\Admin\AppData\Local\Bohmerwald\Maianthemum.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\ORY987650090.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2576
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD58563c2c430e0d615b0d99618d6098001
SHA1d3978e5153ca2b2c7cebbea02b4e1757a83ff8fe
SHA256ef4a06f6fe92c9724b4f1c8e66200d951f049a4835c80c8311d7b268749651f4
SHA512ae8e4b57b35ef065b197c69a9dde2ec9ada0beb720fa721189dd228fe897613daabca6797e501c21980878c27894d909ead34492d814087ad6a473f24ecba26c
-
Filesize
786KB
MD50775df6f175b9e95b8a56fdfd22df1c2
SHA1c417f98d67f4ee9753e03ecf90c987fa9f0a10e2
SHA25629205d95468e39eb69b47f1bbec3c93411003098765e5b2af4adeab341dc24a0
SHA51233fe1ea924edad38b46792d58f086109b78da48f79bfa1de186ab6dc810f6713aefd86d8132b3a2d2394064f5712b9c23140d6213f6d722e52d8d7eaea8b98f9