Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-10-2024 14:49
Static task
static1
Behavioral task
behavioral1
Sample
FinalDraftDocument.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FinalDraftDocument.exe
Resource
win10v2004-20240802-en
General
-
Target
FinalDraftDocument.exe
-
Size
488KB
-
MD5
809e7ea49edaf85cb1d5bd558e5c5193
-
SHA1
0eccd79c5a83552cfdbb869bf800946b07373203
-
SHA256
9b6a9353b8f6dd2125d0b15d32724606744990de68541d8714153935e7f69a2a
-
SHA512
4e18195b6a226bf6e427ecc8bbf9bed6fe4075411b9d26971510222fa8fd39778cac8dd85fc58c22dca1012d2e6bd10f09eec69983e99d43c890bd2a52cde58f
-
SSDEEP
12288:jrvWGrvWvrvWZrvWb2BKMAKtWjg8lNqOi/GUr:jLWGLWvLWZLWqQHjlNqbrr
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8077340278:AAH_Kxl1wfWRxGS3WgpXXx6UyRcTAMq6dmU/sendMessage?chat_id=5325450360
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FinalDraftDocument.exedescription pid process target process PID 4672 set thread context of 852 4672 FinalDraftDocument.exe regasm.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
FinalDraftDocument.exeregasm.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FinalDraftDocument.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regasm.exepid process 852 regasm.exe 852 regasm.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
FinalDraftDocument.exepid process 4672 FinalDraftDocument.exe 4672 FinalDraftDocument.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
regasm.exedescription pid process Token: SeDebugPrivilege 852 regasm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
FinalDraftDocument.exepid process 4672 FinalDraftDocument.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
FinalDraftDocument.exedescription pid process target process PID 4672 wrote to memory of 1804 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 1804 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 1804 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 1804 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 852 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 852 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 852 4672 FinalDraftDocument.exe regasm.exe PID 4672 wrote to memory of 852 4672 FinalDraftDocument.exe regasm.exe -
outlook_office_path 1 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe -
outlook_win_path 1 IoCs
Processes:
regasm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 regasm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FinalDraftDocument.exe"C:\Users\Admin\AppData\Local\Temp\FinalDraftDocument.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵PID:1804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:852
-