Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 08:07
Static task
static1
Behavioral task
behavioral1
Sample
malw.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
malw.exe
Resource
win10v2004-20240910-en
General
-
Target
malw.exe
-
Size
800KB
-
MD5
0831483725b8a67ce53d16389968f617
-
SHA1
e4b4e521700ae26026f0df1906e54aadcb430bb1
-
SHA256
5fac27b8152ef82450dc013d3cb4cad4601df760ede1e3189e50e4e980f7bc7d
-
SHA512
4ae77689fe65b3967c544c3535971f91e7254989abd126c631dee074bd37eb95240fd560a5f330f750512316bc65d0b90ce4a3bc3ada17453b252c8fe93730ca
-
SSDEEP
12288:41ZF8KpTlJU74qoqmW1OS4UvvnZ61DjyiU/7g8JDwOJGVp7CH3TNAc:4yc7Erv1oQvZKDWT7g85wPvkAc
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cybertechllc.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
malw.exedescription pid process target process PID 2228 set thread context of 2568 2228 malw.exe malw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2912 2568 WerFault.exe malw.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
malw.exemalw.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language malw.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
malw.exemalw.exepowershell.exepid process 2228 malw.exe 2228 malw.exe 2568 malw.exe 2652 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
malw.exemalw.exepowershell.exedescription pid process Token: SeDebugPrivilege 2228 malw.exe Token: SeDebugPrivilege 2568 malw.exe Token: SeDebugPrivilege 2652 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
malw.exemalw.exedescription pid process target process PID 2228 wrote to memory of 2652 2228 malw.exe powershell.exe PID 2228 wrote to memory of 2652 2228 malw.exe powershell.exe PID 2228 wrote to memory of 2652 2228 malw.exe powershell.exe PID 2228 wrote to memory of 2652 2228 malw.exe powershell.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2228 wrote to memory of 2568 2228 malw.exe malw.exe PID 2568 wrote to memory of 2912 2568 malw.exe WerFault.exe PID 2568 wrote to memory of 2912 2568 malw.exe WerFault.exe PID 2568 wrote to memory of 2912 2568 malw.exe WerFault.exe PID 2568 wrote to memory of 2912 2568 malw.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
C:\Users\Admin\AppData\Local\Temp\malw.exe"C:\Users\Admin\AppData\Local\Temp\malw.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 9963⤵
- Program crash
PID:2912
-
-