Analysis
-
max time kernel
119s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25-09-2024 05:31
Static task
static1
Behavioral task
behavioral1
Sample
ALJ160924.scr
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ALJ160924.scr
Resource
win10v2004-20240802-en
General
-
Target
ALJ160924.scr
-
Size
63KB
-
MD5
f4bcadef3484f1465ddfde29bcb8d23d
-
SHA1
c074ce7f76cf58af3f361ca9fdeb85c15cfe6b74
-
SHA256
0c5d7d5a66c96a8aa51d19fb03243818d82e35c23396c5f471f0cd2635d8fe94
-
SHA512
3afcb21c54d9870a759022b2cfb7b3c9db274e544cc62c9f1b6a01fa25c0246f381cb1123d8e5b8805b9eec81509504d7e6c92773f1faa0a3e5a4a69ac842368
-
SSDEEP
1536:0vjK5iyA22P8AuEAEEkwQdsYihPjBoHD72qE68:MK5i2297PViRjBAE68
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7371892501:AAE6c_q-yLsVj82ZZEmMuRlQtTm95MBjCz0/sendMessage?chat_id=6750192797
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
ALJ160924.scrdescription pid Process procid_target PID 3124 created 3472 3124 ALJ160924.scr 56 -
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ALJ160924.scrdescription pid Process procid_target PID 3124 set thread context of 4992 3124 ALJ160924.scr 97 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ALJ160924.scrInstallUtil.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ALJ160924.scr Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
ALJ160924.scrInstallUtil.exepid Process 3124 ALJ160924.scr 3124 ALJ160924.scr 4992 InstallUtil.exe 4992 InstallUtil.exe 4992 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
ALJ160924.scrInstallUtil.exedescription pid Process Token: SeDebugPrivilege 3124 ALJ160924.scr Token: SeDebugPrivilege 3124 ALJ160924.scr Token: SeDebugPrivilege 4992 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ALJ160924.scrdescription pid Process procid_target PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 PID 3124 wrote to memory of 4992 3124 ALJ160924.scr 97 -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\ALJ160924.scr"C:\Users\Admin\AppData\Local\Temp\ALJ160924.scr" /S2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3124
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1316,i,1330210614411927383,9239043499051775691,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:81⤵PID:556