Analysis

  • max time kernel
    60s
  • max time network
    60s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 11:23

General

  • Target

    8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe

  • Size

    1.5MB

  • MD5

    4e78f6aefc51d6c727cb3c1e4bf0fb81

  • SHA1

    7fa38adc2c202186ff20386b4e2e5243b202b81b

  • SHA256

    8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9

  • SHA512

    2a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8

  • SSDEEP

    24576:b062cSEk8zNlLvC3nrOvC/RTXn036CcS2X9+R3qYpsSMZoCM+GjhHBATdI:A6PayQrlRjc6phQ8SM/GvAe

Malware Config

Extracted

Family

vipkeylogger

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
    "C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2084
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2700
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2740
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:2604
    • C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
      "C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"
      1⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX1\run.vbs"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1396
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\encrypted.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\encrypted.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1856
    • C:\Program Files\7-Zip\7zG.exe
      "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\2166614737\payload\" -spe -an -ai#7zMap21685:116:7zEvent21879
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:2748
    • C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
      "C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX2\run.vbs"
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Users\Admin\AppData\Local\Temp\RarSFX2\encrypted.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX2\encrypted.exe"
          3⤵
          • Executes dropped EXE
          PID:2376

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\2166614737\payload\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe

      Filesize

      1.5MB

      MD5

      4e78f6aefc51d6c727cb3c1e4bf0fb81

      SHA1

      7fa38adc2c202186ff20386b4e2e5243b202b81b

      SHA256

      8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9

      SHA512

      2a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe

      Filesize

      2.8MB

      MD5

      f01725be4af17d500bf5121780b3d304

      SHA1

      4ba42ced4db6a5173ece265424b26b32ececbbd6

      SHA256

      a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea

      SHA512

      68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs

      Filesize

      190B

      MD5

      99b17143c77785dec72b12bf9fde7389

      SHA1

      fe803b2b32e187644433795fd26798122dc284fe

      SHA256

      e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1

      SHA512

      49282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d

    • memory/2740-10-0x0000000001C40000-0x0000000001C8C000-memory.dmp

      Filesize

      304KB

    • memory/2740-11-0x0000000001F80000-0x0000000001FCA000-memory.dmp

      Filesize

      296KB