Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 06:12
Static task
static1
Behavioral task
behavioral1
Sample
3140, EUR.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3140, EUR.exe
Resource
win10v2004-20240802-en
General
-
Target
3140, EUR.exe
-
Size
796KB
-
MD5
332593ae1e0ba5a06370963c37bbbceb
-
SHA1
994f8e733ba1961882dcdef0c78fc305db4c1c91
-
SHA256
9ca5a71321522f47140b36e5f1983cff7455dd124caa231d97df29cd654c6893
-
SHA512
111b6d04597e4f00d8d30cb3e1c8514b92fc1ad936db7553a6f9f00146e0511bedb4d0fcd2cb011959063ffa6eac88a8287724ade1e67a1aa77122390c7e48c0
-
SSDEEP
12288:UUxLU3TBHWn/JDfaWEtYWWcw/1/4sln7aIK5nRYji9avo0Dx/v7UcM:UUxCHwDiWEepcw/ia7aV6jMG/HYcM
Malware Config
Extracted
Protocol: ftp- Host:
quicklyserv.com - Port:
21 - Username:
[email protected] - Password:
omobolajijonze12345
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2760 powershell.exe 2228 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
3140, EUR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3140, EUR.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3140, EUR.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3140, EUR.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3140, EUR.exedescription pid process target process PID 2932 set thread context of 2324 2932 3140, EUR.exe 3140, EUR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
3140, EUR.exe3140, EUR.exepowershell.exepowershell.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3140, EUR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3140, EUR.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
3140, EUR.exe3140, EUR.exepowershell.exepowershell.exepid process 2932 3140, EUR.exe 2932 3140, EUR.exe 2932 3140, EUR.exe 2932 3140, EUR.exe 2324 3140, EUR.exe 2228 powershell.exe 2760 powershell.exe 2324 3140, EUR.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
3140, EUR.exe3140, EUR.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2932 3140, EUR.exe Token: SeDebugPrivilege 2324 3140, EUR.exe Token: SeDebugPrivilege 2228 powershell.exe Token: SeDebugPrivilege 2760 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
3140, EUR.exedescription pid process target process PID 2932 wrote to memory of 2760 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2760 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2760 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2760 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2228 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2228 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2228 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2228 2932 3140, EUR.exe powershell.exe PID 2932 wrote to memory of 2928 2932 3140, EUR.exe schtasks.exe PID 2932 wrote to memory of 2928 2932 3140, EUR.exe schtasks.exe PID 2932 wrote to memory of 2928 2932 3140, EUR.exe schtasks.exe PID 2932 wrote to memory of 2928 2932 3140, EUR.exe schtasks.exe PID 2932 wrote to memory of 2676 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2676 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2676 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2676 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 1996 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 1996 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 1996 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 1996 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe PID 2932 wrote to memory of 2324 2932 3140, EUR.exe 3140, EUR.exe -
outlook_office_path 1 IoCs
Processes:
3140, EUR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3140, EUR.exe -
outlook_win_path 1 IoCs
Processes:
3140, EUR.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 3140, EUR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lkuPOyvaWlIu.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lkuPOyvaWlIu" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBAC7.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2928
-
-
C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"2⤵PID:2676
-
-
C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"2⤵PID:1996
-
-
C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"C:\Users\Admin\AppData\Local\Temp\3140, EUR.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2324
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ce0d7c7782956fbe526e4437565c8dc8
SHA189dbe1e94a84da7a585c232d62de03dc1b67f8ed
SHA256a56a347f75675ed75f8e102f8414eccf9dff92fe86b64a0f378e7b345aa335df
SHA51238906b52d687593d01edb2f0d369009c86e4c0a2c2ac3bf63c544e916076b94f2b5e826e24ec0e2cf6d1ec48391f97dcd9dc0e0de1937871742f0128c35eb6ae
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52fb49e1878b89e8c642e447152af8859
SHA124eb52a67337e4971de047660cd1b2829587e146
SHA256577a6215d219841ad8908c21df88e48056fbd3288ab15fc4f976cd726f2ad88b
SHA512a083be051ae3252d0c3c81cf13ec6661c92857ad5e78e76fe07b225ce8ba79254edc3db5eb1c79c2ecb0ccce7ca4acc757127f23990d21fa95ecc58f3661726a