Analysis
-
max time kernel
60s -
max time network
60s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 11:23
Static task
static1
Behavioral task
behavioral1
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win10v2004-20240802-en
General
-
Target
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
-
Size
1.5MB
-
MD5
4e78f6aefc51d6c727cb3c1e4bf0fb81
-
SHA1
7fa38adc2c202186ff20386b4e2e5243b202b81b
-
SHA256
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9
-
SHA512
2a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8
-
SSDEEP
24576:b062cSEk8zNlLvC3nrOvC/RTXn036CcS2X9+R3qYpsSMZoCM+GjhHBATdI:A6PayQrlRjc6phQ8SM/GvAe
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Executes dropped EXE 4 IoCs
Processes:
encrypted.exeencrypted.exe8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeencrypted.exepid process 2740 encrypted.exe 1856 encrypted.exe 3060 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe 2376 encrypted.exe -
Loads dropped DLL 3 IoCs
Processes:
WScript.exeWScript.exeWScript.exepid process 2700 WScript.exe 1396 WScript.exe 2196 WScript.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exe8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exe8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
encrypted.exeencrypted.exepid process 2740 encrypted.exe 1856 encrypted.exe 2740 encrypted.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
encrypted.exeencrypted.exe7zG.exedescription pid process Token: SeDebugPrivilege 2740 encrypted.exe Token: SeDebugPrivilege 1856 encrypted.exe Token: SeRestorePrivilege 2748 7zG.exe Token: 35 2748 7zG.exe Token: SeSecurityPrivilege 2748 7zG.exe Token: SeSecurityPrivilege 2748 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 2748 7zG.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exe8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exe8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription pid process target process PID 2084 wrote to memory of 2700 2084 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2084 wrote to memory of 2700 2084 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2084 wrote to memory of 2700 2084 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2084 wrote to memory of 2700 2084 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2700 wrote to memory of 2740 2700 WScript.exe encrypted.exe PID 2700 wrote to memory of 2740 2700 WScript.exe encrypted.exe PID 2700 wrote to memory of 2740 2700 WScript.exe encrypted.exe PID 2700 wrote to memory of 2740 2700 WScript.exe encrypted.exe PID 1200 wrote to memory of 1396 1200 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1200 wrote to memory of 1396 1200 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1200 wrote to memory of 1396 1200 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1200 wrote to memory of 1396 1200 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 1396 wrote to memory of 1856 1396 WScript.exe encrypted.exe PID 1396 wrote to memory of 1856 1396 WScript.exe encrypted.exe PID 1396 wrote to memory of 1856 1396 WScript.exe encrypted.exe PID 1396 wrote to memory of 1856 1396 WScript.exe encrypted.exe PID 3060 wrote to memory of 2196 3060 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 3060 wrote to memory of 2196 3060 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 3060 wrote to memory of 2196 3060 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 3060 wrote to memory of 2196 3060 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2196 wrote to memory of 2376 2196 WScript.exe encrypted.exe PID 2196 wrote to memory of 2376 2196 WScript.exe encrypted.exe PID 2196 wrote to memory of 2376 2196 WScript.exe encrypted.exe PID 2196 wrote to memory of 2376 2196 WScript.exe encrypted.exe -
outlook_office_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
outlook_win_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2740
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2604
-
C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\encrypted.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\2166614737\payload\" -spe -an -ai#7zMap21685:116:7zEvent218791⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2748
-
C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\RarSFX2\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX2\encrypted.exe"3⤵
- Executes dropped EXE
PID:2376
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Filesize1.5MB
MD54e78f6aefc51d6c727cb3c1e4bf0fb81
SHA17fa38adc2c202186ff20386b4e2e5243b202b81b
SHA2568db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9
SHA5122a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8
-
Filesize
2.8MB
MD5f01725be4af17d500bf5121780b3d304
SHA14ba42ced4db6a5173ece265424b26b32ececbbd6
SHA256a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
SHA51268d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26
-
Filesize
190B
MD599b17143c77785dec72b12bf9fde7389
SHA1fe803b2b32e187644433795fd26798122dc284fe
SHA256e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1
SHA51249282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d