Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 19:26

General

  • Target

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe

  • Size

    547KB

  • MD5

    7c9c30680dd2f61cd7f5a93527cd2200

  • SHA1

    2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

  • SHA256

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

  • SHA512

    dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

  • SSDEEP

    6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
    "C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2256
    • \??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 1688
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:880
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2108
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2776
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1068
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2604
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2680
            • C:\Windows\SysWOW64\at.exe
              at 19:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2932
            • C:\Windows\SysWOW64\at.exe
              at 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe

    Filesize

    274KB

    MD5

    f920230e6094623d76530db6111f64e8

    SHA1

    cef2ad08c3c6d9ddf27e089072dd8dbee7b4ed54

    SHA256

    d439d554faff7d985cf833480a5a9d7cac42a4b20b16a145d5f83551b879152f

    SHA512

    90d72a7690d511841fad94424c6481f2d7a9b89d09fc9eb1a304eaf1f61dd605d8466f5a7d69b56432cecd595394864a6a39037782cfe9644c267b595737d71f

  • \Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 

    Filesize

    272KB

    MD5

    b046211fe3f420a9ceb7663a560ece96

    SHA1

    785a1cff39f2a75cbfffed3d718e9e026b3c80a1

    SHA256

    96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df

    SHA512

    5a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3

  • \Users\Admin\AppData\Local\icsys.icn.exe

    Filesize

    274KB

    MD5

    1cf16e75b8173523ed0d5ef4211b9f64

    SHA1

    11dbca355fc318803987ab9756bd27f3009734ed

    SHA256

    70924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c

    SHA512

    147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d

  • \Windows\system\explorer.exe

    Filesize

    274KB

    MD5

    8fe63d1c9c95a1cbf481b65d09651f97

    SHA1

    181aa9704343d57e0d1d5bbe3f1e68bdea0fc326

    SHA256

    1ecf3e026dad74683ef9abf552a666bb2ed19f6fbafd75759f45e5ab27ca80e5

    SHA512

    270180df9b2973c4c863d65ed67490bbf7b3ffa4826b3c32ae3ac16365c3c831a6d8759e7aeba6fea2976778b2e3743a7fdabc45bf8bd483ff6843db27a919bb

  • \Windows\system\spoolsv.exe

    Filesize

    274KB

    MD5

    1ba30b1d1fe50e91e9ee36fc36c8e76f

    SHA1

    c0a9a00571fffd46ed0acd16adef61b7a966cd8a

    SHA256

    8a4d4ac33a3c534bf07d7a817f904516061e49ab8f6fb8c46b69e08e62747dd1

    SHA512

    9e767e624ea45facea8cdf6e340509e4f10f5e6b4f1d27727e0a105c47c6f34d0db672da6af46081c62a376e8746a019c9832e502e18e2e643f59cbe4d189489

  • \Windows\system\svchost.exe

    Filesize

    274KB

    MD5

    6ca353de2b586fdac3d49cdba8888c45

    SHA1

    5348bad152fdec8bc7c7e080d32a4b7b4877c9b8

    SHA256

    019e36dcf0c7106769aba609a442f12fd3f5fa2741078dcfa9069e418e79459c

    SHA512

    054ac53a3d2a7d59dc13c728ef3e221e2053f27392ce165c4228fd2bbc6fc55bae879be44bdab6da988557c41f14b5654415fd1f6a0601a2a2f43266dc2dc536

  • memory/1068-84-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/1068-63-0x0000000003180000-0x00000000031BE000-memory.dmp

    Filesize

    248KB

  • memory/1068-68-0x0000000003180000-0x00000000031BE000-memory.dmp

    Filesize

    248KB

  • memory/1068-60-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2108-35-0x00000000032E0000-0x000000000331E000-memory.dmp

    Filesize

    248KB

  • memory/2108-85-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2108-34-0x00000000032E0000-0x000000000331E000-memory.dmp

    Filesize

    248KB

  • memory/2256-20-0x0000000002600000-0x000000000263E000-memory.dmp

    Filesize

    248KB

  • memory/2256-86-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2256-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2316-12-0x0000000000EA0000-0x0000000000EEA000-memory.dmp

    Filesize

    296KB

  • memory/2316-93-0x0000000073FE0000-0x00000000746CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2316-57-0x0000000073FE0000-0x00000000746CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2316-59-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

    Filesize

    4KB

  • memory/2316-13-0x0000000073FE0000-0x00000000746CE000-memory.dmp

    Filesize

    6.9MB

  • memory/2316-11-0x0000000073FEE000-0x0000000073FEF000-memory.dmp

    Filesize

    4KB

  • memory/2604-96-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2604-76-0x0000000000510000-0x000000000054E000-memory.dmp

    Filesize

    248KB

  • memory/2604-97-0x0000000000510000-0x000000000054E000-memory.dmp

    Filesize

    248KB

  • memory/2680-81-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2776-94-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2776-95-0x0000000001CE0000-0x0000000001D1E000-memory.dmp

    Filesize

    248KB

  • memory/2776-37-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2776-50-0x0000000001CE0000-0x0000000001D1E000-memory.dmp

    Filesize

    248KB