Analysis
-
max time kernel
102s -
max time network
106s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 11:26
Static task
static1
Behavioral task
behavioral1
Sample
encrypted.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
encrypted.exe
Resource
win10v2004-20240802-en
General
-
Target
encrypted.exe
-
Size
2.8MB
-
MD5
f01725be4af17d500bf5121780b3d304
-
SHA1
4ba42ced4db6a5173ece265424b26b32ececbbd6
-
SHA256
a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
-
SHA512
68d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26
-
SSDEEP
24576:Hp+4uTV+nMmbk1UU/ERo0trw2rIxNFsT8SYnt23pDoFL5I1MnU0jaShPkmZLirW7:HpCTVtsRo0NwggzLjUaPIWzea
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings rundll32.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 2356 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
encrypted.exepid process 3064 encrypted.exe 3064 encrypted.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
rundll32.exepid process 1512 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
encrypted.exe7zG.exedescription pid process Token: SeDebugPrivilege 3064 encrypted.exe Token: SeRestorePrivilege 2060 7zG.exe Token: 35 2060 7zG.exe Token: SeSecurityPrivilege 2060 7zG.exe Token: SeSecurityPrivilege 2060 7zG.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7zG.exepid process 2060 7zG.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1512 wrote to memory of 2356 1512 rundll32.exe NOTEPAD.EXE PID 1512 wrote to memory of 2356 1512 rundll32.exe NOTEPAD.EXE PID 1512 wrote to memory of 2356 1512 rundll32.exe NOTEPAD.EXE -
outlook_office_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe -
outlook_win_path 1 IoCs
Processes:
encrypted.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 encrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\encrypted.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3064
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2656
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\3711440261\zmstage.exe\" -spe -an -ai#7zMap24679:126:7zEvent250221⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2060
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\3711440261\zmstage.exe.orig1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\3711440261\zmstage.exe.orig2⤵
- Opens file in notepad (likely ransom note)
PID:2356
-
C:\Users\Admin\AppData\Local\Temp\3711440261\zmsta.exe"C:\Users\Admin\AppData\Local\Temp\3711440261\zmsta.exe"1⤵PID:2992
-
C:\Users\Admin\AppData\Local\Temp\3711440261\zmsta.exe"C:\Users\Admin\AppData\Local\Temp\3711440261\zmsta.exe"1⤵PID:932