Analysis
-
max time kernel
120s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 06:34
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry List.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Inquiry List.exe
Resource
win10v2004-20240802-en
General
-
Target
Inquiry List.exe
-
Size
1.2MB
-
MD5
bdfe2ec12bd1484da6771e1862f7a7cc
-
SHA1
ffe2ca6d0e9ff913c160b76261f5d55bedf0b278
-
SHA256
1fdaed5b8ab899d562cc02742f56ae5ee1099dbdabda16bc399d07f4de7cf81d
-
SHA512
cca00ddc1c6feb851123582af080217d006d41a03dc96efb86c7f94a1b0714c283835f04c59a612e91128a42d30e9838ee07e73d713de7a8297220d2c3b6dde8
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCTnQUPskpg4c6OOXSp6rDX7a+sG7nx3:7JZoQrbTFZY1iaCTLEENGd6rDX7RsGx
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7204444211:AAHhCv47hRiqEWkkF-hzrMRRq69HpYbFD5Y/sendMessage?chat_id=2065242915
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Inquiry List.exedescription pid Process procid_target PID 2136 set thread context of 2280 2136 Inquiry List.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Inquiry List.exeRegSvcs.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inquiry List.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 2280 RegSvcs.exe 2280 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Inquiry List.exepid Process 2136 Inquiry List.exe 2136 Inquiry List.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2280 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Inquiry List.exepid Process 2136 Inquiry List.exe 2136 Inquiry List.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Inquiry List.exepid Process 2136 Inquiry List.exe 2136 Inquiry List.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Inquiry List.exedescription pid Process procid_target PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 PID 2136 wrote to memory of 2280 2136 Inquiry List.exe 28 -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry List.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry List.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry List.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2280
-