Analysis
-
max time kernel
119s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 08:54
Static task
static1
Behavioral task
behavioral1
Sample
WIpGif4IRrFfamQ.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
WIpGif4IRrFfamQ.exe
Resource
win10v2004-20240802-en
General
-
Target
WIpGif4IRrFfamQ.exe
-
Size
751KB
-
MD5
102c9ce1c659517c4ea924c2044305b7
-
SHA1
942b0a7e2077eca38b9b6ff16d89722cbbbf7002
-
SHA256
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
-
SHA512
eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6
-
SSDEEP
12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.pymetal.net - Port:
587 - Username:
[email protected] - Password:
21hnosgomezrecambios2021 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2788 powershell.exe 2832 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription pid process target process PID 2028 set thread context of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WIpGif4IRrFfamQ.exepowershell.exepowershell.exeschtasks.exeWIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WIpGif4IRrFfamQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WIpGif4IRrFfamQ.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
WIpGif4IRrFfamQ.exeWIpGif4IRrFfamQ.exepowershell.exepowershell.exepid process 2028 WIpGif4IRrFfamQ.exe 2028 WIpGif4IRrFfamQ.exe 3044 WIpGif4IRrFfamQ.exe 2788 powershell.exe 2832 powershell.exe 3044 WIpGif4IRrFfamQ.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
WIpGif4IRrFfamQ.exeWIpGif4IRrFfamQ.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2028 WIpGif4IRrFfamQ.exe Token: SeDebugPrivilege 3044 WIpGif4IRrFfamQ.exe Token: SeDebugPrivilege 2788 powershell.exe Token: SeDebugPrivilege 2832 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription pid process target process PID 2028 wrote to memory of 2788 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2788 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2788 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2788 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2832 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2832 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2832 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2832 2028 WIpGif4IRrFfamQ.exe powershell.exe PID 2028 wrote to memory of 2724 2028 WIpGif4IRrFfamQ.exe schtasks.exe PID 2028 wrote to memory of 2724 2028 WIpGif4IRrFfamQ.exe schtasks.exe PID 2028 wrote to memory of 2724 2028 WIpGif4IRrFfamQ.exe schtasks.exe PID 2028 wrote to memory of 2724 2028 WIpGif4IRrFfamQ.exe schtasks.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe PID 2028 wrote to memory of 3044 2028 WIpGif4IRrFfamQ.exe WIpGif4IRrFfamQ.exe -
outlook_office_path 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe -
outlook_win_path 1 IoCs
Processes:
WIpGif4IRrFfamQ.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 WIpGif4IRrFfamQ.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2788
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AcEnrS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmp66ED.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2724
-
-
C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"C:\Users\Admin\AppData\Local\Temp\WIpGif4IRrFfamQ.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3044
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD557f2ee8c2486154c08544330ea9356c7
SHA155ec1eae5e76d37adb765ba98eaf8507cc3cb4ef
SHA25609c854ea0eb675ca3865116b3a3869cc2674b02d2b355fa673e38b2f5ae94639
SHA5128b1bed125bdd527611f1b14e5f7f0463500f769e7cf00837cb86843f5d08e6e444a9b98dbad22a8e7bd8c1a01ebb4ffd3b95adea76f31b33a0f21ba70d2c6010
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52da5ad1a52c67097042eddfaf399d91d
SHA1c9832c18cb9699047cb9cc386423bc67bcf8fccd
SHA25677774fd56595fac2f38899d266ed7024fbe0f8f398fc44949e43b9e0f6cb04fa
SHA512892b403295a1b137d0f19bc26d1e71abb2487b2b2058ab8ed2a210b6c51a26cfec65eda22d16598ea8942d43f6242813014b110afae526c40d5090d6eb5b75d5