Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 19:30

General

  • Target

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe

  • Size

    547KB

  • MD5

    7c9c30680dd2f61cd7f5a93527cd2200

  • SHA1

    2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

  • SHA256

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

  • SHA512

    dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

  • SSDEEP

    6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 16 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
    "C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2776
    • \??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:2732
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2732 -s 1684
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1844
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3020
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2592
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2376
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2016
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2844
            • C:\Windows\SysWOW64\at.exe
              at 19:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2684
            • C:\Windows\SysWOW64\at.exe
              at 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1252
            • C:\Windows\SysWOW64\at.exe
              at 19:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\mrsys.exe

    Filesize

    274KB

    MD5

    cd1ccd1fd40416961967d7694b240b0d

    SHA1

    5c998271bfa37a56c262c8fe6d9a38d46ee3be81

    SHA256

    293204c7823cb9531a4ace3d150c8db6c16b55b7877c175be9e7f864924851f0

    SHA512

    4482dcd07985cb323c907fc2f64dfb41b3604e3f7834ccba77c7b3843e5a03c872ffa2786bac1cd545b284173f973167340e7406028dc7c38378f24a889d61ae

  • \??\PIPE\atsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 

    Filesize

    272KB

    MD5

    b046211fe3f420a9ceb7663a560ece96

    SHA1

    785a1cff39f2a75cbfffed3d718e9e026b3c80a1

    SHA256

    96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df

    SHA512

    5a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3

  • \Users\Admin\AppData\Local\icsys.icn.exe

    Filesize

    274KB

    MD5

    1cf16e75b8173523ed0d5ef4211b9f64

    SHA1

    11dbca355fc318803987ab9756bd27f3009734ed

    SHA256

    70924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c

    SHA512

    147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d

  • \Windows\system\explorer.exe

    Filesize

    274KB

    MD5

    c905dab8c0e9f21368cbcdd9d073bcbb

    SHA1

    69285a00e627958b99b15b29c93f10183d357375

    SHA256

    054c0d5c739fb572d622655cc0d066a66001f34ea06eb00a9546e1409486229f

    SHA512

    d9bea6814ada2e10a8fae33f77ffee2ece7295abaac0d19e9738d594f455985db7a61291bb843ff4197d1612fca693cd3a24fd921f82ba1262cef31a4bf23a9f

  • \Windows\system\spoolsv.exe

    Filesize

    274KB

    MD5

    76b9b717cf3092418179a3f07969b450

    SHA1

    31fbd67d757b24b6de85489df4f0e39c0c65dd15

    SHA256

    e7255bfc8128201ab78d6227ccaded56a94e23c42bd7266eafc06521caef860a

    SHA512

    74376ad73dd5065165151112d331a2e9dc2a0ec4ae2c899ebe4a2ce806142b58768ec823e572709aec33a5e4a56047762d35de07ecf2da0f65c4012ff5e39c98

  • \Windows\system\svchost.exe

    Filesize

    274KB

    MD5

    901cb3a39ab350fe5973b7f8a21607f0

    SHA1

    4e28495617ee15f2bddb0f11a29d578289d66534

    SHA256

    0ade4c6916258b0cca4bb71d517d80b141c85290e0cc3f7ad517a0b807bd317c

    SHA512

    c0c6a15d60749f1e98c9662eab277eec6edd39765ca3346f99b81c9f9e986f117403bebb346e4152e4eb4c9a418ff3d20d489db0cf3130477d9ec4e9db9a4c44

  • memory/2016-77-0x00000000003A0000-0x00000000003DE000-memory.dmp

    Filesize

    248KB

  • memory/2016-97-0x00000000003A0000-0x00000000003DE000-memory.dmp

    Filesize

    248KB

  • memory/2016-95-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2016-96-0x00000000003A0000-0x00000000003DE000-memory.dmp

    Filesize

    248KB

  • memory/2016-78-0x00000000003A0000-0x00000000003DE000-memory.dmp

    Filesize

    248KB

  • memory/2016-76-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2376-74-0x00000000025A0000-0x00000000025DE000-memory.dmp

    Filesize

    248KB

  • memory/2376-80-0x00000000025A0000-0x00000000025DE000-memory.dmp

    Filesize

    248KB

  • memory/2592-94-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2732-12-0x0000000000810000-0x000000000085A000-memory.dmp

    Filesize

    296KB

  • memory/2732-59-0x000000007400E000-0x000000007400F000-memory.dmp

    Filesize

    4KB

  • memory/2732-13-0x0000000074000000-0x00000000746EE000-memory.dmp

    Filesize

    6.9MB

  • memory/2732-72-0x0000000074000000-0x00000000746EE000-memory.dmp

    Filesize

    6.9MB

  • memory/2732-11-0x000000007400E000-0x000000007400F000-memory.dmp

    Filesize

    4KB

  • memory/2732-93-0x0000000074000000-0x00000000746EE000-memory.dmp

    Filesize

    6.9MB

  • memory/2776-21-0x00000000024A0000-0x00000000024DE000-memory.dmp

    Filesize

    248KB

  • memory/2776-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2776-23-0x00000000024A0000-0x00000000024DE000-memory.dmp

    Filesize

    248KB

  • memory/2776-86-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2844-82-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/2844-79-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3020-85-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

  • memory/3020-36-0x0000000002720000-0x000000000275E000-memory.dmp

    Filesize

    248KB

  • memory/3020-22-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB