Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 19:26

General

  • Target

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe

  • Size

    547KB

  • MD5

    7c9c30680dd2f61cd7f5a93527cd2200

  • SHA1

    2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

  • SHA256

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

  • SHA512

    dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

  • SSDEEP

    6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
    "C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1648
    • \??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3460
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 1128
        3⤵
        • Program crash
        PID:2460
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:996
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4392
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2996
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2504
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2728
            • C:\Windows\SysWOW64\at.exe
              at 19:28 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4816
            • C:\Windows\SysWOW64\at.exe
              at 19:29 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3204
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3460 -ip 3460
    1⤵
      PID:3812

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 

      Filesize

      272KB

      MD5

      b046211fe3f420a9ceb7663a560ece96

      SHA1

      785a1cff39f2a75cbfffed3d718e9e026b3c80a1

      SHA256

      96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df

      SHA512

      5a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3

    • C:\Users\Admin\AppData\Local\icsys.icn.exe

      Filesize

      274KB

      MD5

      1cf16e75b8173523ed0d5ef4211b9f64

      SHA1

      11dbca355fc318803987ab9756bd27f3009734ed

      SHA256

      70924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c

      SHA512

      147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d

    • C:\Users\Admin\AppData\Roaming\mrsys.exe

      Filesize

      274KB

      MD5

      8ec609eeecb8c7d798fdf50084493a03

      SHA1

      084b7023ab8efb4de9bd44c89aac899253bb520e

      SHA256

      7af4a8dac6def5be83f8a838547cf2c29e94dbfc1d745ff05b3e3d6a97997558

      SHA512

      0cffa70f1842092123253ccf7436c7085674c1c809f3436847b11efeb2d22c8c3cb3b5eb3f99cdbc9f9cac40f77eb1d3226619d53b52d3684bf3ca2deba608c8

    • C:\Windows\System\explorer.exe

      Filesize

      274KB

      MD5

      3d309066f9e70f752412743b56351401

      SHA1

      0c5bcbb6b3bb6c8aafe503ebc0c2358ed22f6423

      SHA256

      a0e80beb15d0e0ffc3872fbb561dd0e440bdce37a19ba19135be8238a9e033e7

      SHA512

      2db9755838f0eba42a7d39f4179e0504120e711a1cf1a2a94abd6f00b381f798c8757cb20baa477d46887714990e209009a32470f6921eee91de5fc030626d53

    • C:\Windows\System\spoolsv.exe

      Filesize

      274KB

      MD5

      2a0748fdf422074ac126c2c8b1ecceb9

      SHA1

      b28fb17f4de8eca6dc1a4d1871ad7131174e73a5

      SHA256

      beca580e5efb098717f01f04eaddbfd74d0fda25f14f26ec37d9d3476f6de587

      SHA512

      254e474a754ba616a9f9371df839b2466a7ed0c98359bb589b4e2b30ebc1c7187ea1df4b1b792bdeabc1f3bfe50188a3b1153b7f5f01e2fed91814d8c88454b8

    • C:\Windows\System\svchost.exe

      Filesize

      274KB

      MD5

      895f34de90e7faf56e5ada7a452e1265

      SHA1

      d5bdc67d892f8c063fbd9764b002e9e2b3915648

      SHA256

      a0e62a205452c93f8bc8c3f638dc1dcc1bf46219974a1c7ff3e8059313f0b061

      SHA512

      59562da3ec1c37359ace5061a10646611e6eab029f66b122ba194352d393e5983d74c6372cc52ca2f03cfdd5a9ded4c725afcccd626e90cf8c863c95a15c67bd

    • memory/996-53-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1648-54-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1648-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2504-61-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2728-48-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2996-49-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/3460-9-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

      Filesize

      4KB

    • memory/3460-10-0x0000000000800000-0x000000000084A000-memory.dmp

      Filesize

      296KB

    • memory/3460-13-0x0000000073F50000-0x0000000074700000-memory.dmp

      Filesize

      7.7MB

    • memory/3460-11-0x0000000005780000-0x0000000005D24000-memory.dmp

      Filesize

      5.6MB

    • memory/3460-55-0x0000000073F5E000-0x0000000073F5F000-memory.dmp

      Filesize

      4KB

    • memory/3460-56-0x0000000006940000-0x0000000006B02000-memory.dmp

      Filesize

      1.8MB

    • memory/3460-57-0x00000000067D0000-0x0000000006820000-memory.dmp

      Filesize

      320KB

    • memory/3460-58-0x0000000073F50000-0x0000000074700000-memory.dmp

      Filesize

      7.7MB

    • memory/3460-59-0x0000000073F50000-0x0000000074700000-memory.dmp

      Filesize

      7.7MB

    • memory/3460-12-0x0000000005270000-0x000000000530C000-memory.dmp

      Filesize

      624KB

    • memory/4392-60-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB