Analysis Overview
SHA256
ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224
Threat Level: Known bad
The file ae08ea78ffecba73bdcc7f7f7273e7dc7b2c0ed119567941ace1e9c88e502224 was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Executes dropped EXE
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Browser Information Discovery
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
outlook_win_path
Suspicious use of WriteProcessMemory
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-03 11:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-03 11:11
Reported
2024-10-03 11:13
Platform
win7-20240708-en
Max time kernel
117s
Max time network
139s
Command Line
Signatures
VIPKeylogger
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe
"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
| MD5 | 99b17143c77785dec72b12bf9fde7389 |
| SHA1 | fe803b2b32e187644433795fd26798122dc284fe |
| SHA256 | e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1 |
| SHA512 | 49282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe
| MD5 | f01725be4af17d500bf5121780b3d304 |
| SHA1 | 4ba42ced4db6a5173ece265424b26b32ececbbd6 |
| SHA256 | a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea |
| SHA512 | 68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26 |
memory/2060-10-0x0000000000200000-0x000000000024C000-memory.dmp
memory/2060-11-0x00000000021D0000-0x000000000221A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-03 11:11
Reported
2024-10-03 11:13
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
VIPKeylogger
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1464 wrote to memory of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1464 wrote to memory of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 1464 wrote to memory of 4836 | N/A | C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe | C:\Windows\SysWOW64\WScript.exe |
| PID 4836 wrote to memory of 3052 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe |
| PID 4836 wrote to memory of 3052 | N/A | C:\Windows\SysWOW64\WScript.exe | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe
"C:\Users\Admin\AppData\Local\Temp\03_10_2024_Dönemi_MEVDUAT Ekstre Bilgiler.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs
| MD5 | 99b17143c77785dec72b12bf9fde7389 |
| SHA1 | fe803b2b32e187644433795fd26798122dc284fe |
| SHA256 | e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1 |
| SHA512 | 49282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe
| MD5 | f01725be4af17d500bf5121780b3d304 |
| SHA1 | 4ba42ced4db6a5173ece265424b26b32ececbbd6 |
| SHA256 | a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea |
| SHA512 | 68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26 |
memory/3052-9-0x000001FF455D0000-0x000001FF4561C000-memory.dmp
memory/3052-10-0x0000023FDB9F0000-0x0000023FDBA3A000-memory.dmp
memory/3052-11-0x0000023FF4860000-0x0000023FF4A22000-memory.dmp
memory/3052-12-0x0000023FF4690000-0x0000023FF46E0000-memory.dmp