Analysis
-
max time kernel
118s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 11:11
Static task
static1
Behavioral task
behavioral1
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win10v2004-20240802-en
General
-
Target
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
-
Size
1.5MB
-
MD5
4e78f6aefc51d6c727cb3c1e4bf0fb81
-
SHA1
7fa38adc2c202186ff20386b4e2e5243b202b81b
-
SHA256
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9
-
SHA512
2a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8
-
SSDEEP
24576:b062cSEk8zNlLvC3nrOvC/RTXn036CcS2X9+R3qYpsSMZoCM+GjhHBATdI:A6PayQrlRjc6phQ8SM/GvAe
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
encrypted.exepid process 2716 encrypted.exe -
Loads dropped DLL 1 IoCs
Processes:
WScript.exepid process 1664 WScript.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
encrypted.exepid process 2716 encrypted.exe 2716 encrypted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
encrypted.exedescription pid process Token: SeDebugPrivilege 2716 encrypted.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription pid process target process PID 1792 wrote to memory of 1664 1792 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1792 wrote to memory of 1664 1792 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1792 wrote to memory of 1664 1792 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1792 wrote to memory of 1664 1792 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1664 wrote to memory of 2716 1664 WScript.exe encrypted.exe PID 1664 wrote to memory of 2716 1664 WScript.exe encrypted.exe PID 1664 wrote to memory of 2716 1664 WScript.exe encrypted.exe PID 1664 wrote to memory of 2716 1664 WScript.exe encrypted.exe -
outlook_office_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
outlook_win_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2716
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5f01725be4af17d500bf5121780b3d304
SHA14ba42ced4db6a5173ece265424b26b32ececbbd6
SHA256a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
SHA51268d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26
-
Filesize
190B
MD599b17143c77785dec72b12bf9fde7389
SHA1fe803b2b32e187644433795fd26798122dc284fe
SHA256e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1
SHA51249282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d