Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2024 19:30

General

  • Target

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe

  • Size

    547KB

  • MD5

    7c9c30680dd2f61cd7f5a93527cd2200

  • SHA1

    2f1121e93475e3dba2d25ed10fc8fd1ae3d2e982

  • SHA256

    295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83

  • SHA512

    dd233d82e64c9be1e89d6d6670e0d10e411a82d27205010e98a1a070e01a2a392c1d903749474319bb3a59bc57f0bcf4e829128de5226f51182ef4b962eb819e

  • SSDEEP

    6144:UvEN2U+T6i5LirrllHy4HUcMQY6Fn5wnb+gWxb3:GENN+T5xYrllrU7QY6Nb3

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe
    "C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2748
    • \??\c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      c:\users\admin\appdata\local\temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2000
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 1824
        3⤵
        • Program crash
        PID:4900
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1960
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1672
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:724
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4580
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4432
            • C:\Windows\SysWOW64\at.exe
              at 19:32 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1628
            • C:\Windows\SysWOW64\at.exe
              at 19:33 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3948
            • C:\Windows\SysWOW64\at.exe
              at 19:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2000 -ip 2000
    1⤵
      PID:3672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\295a6bc83e47df3e4ab6349a145c43b464590c91c0a8abb3f9a8cf5df08bab83n.exe 

      Filesize

      272KB

      MD5

      b046211fe3f420a9ceb7663a560ece96

      SHA1

      785a1cff39f2a75cbfffed3d718e9e026b3c80a1

      SHA256

      96134c810750cc56e372551f8070f06aee80ae0cc8eeac983502d6b8f66c77df

      SHA512

      5a0fc701606682de24dfc1b8408b6d7c13205952128b211b9b7ef11a97871f2590d7c705b4032eab6a5661a1295fe4bc8bb58418b68e999e8fdd315009ca7eb3

    • C:\Users\Admin\AppData\Local\icsys.icn.exe

      Filesize

      274KB

      MD5

      1cf16e75b8173523ed0d5ef4211b9f64

      SHA1

      11dbca355fc318803987ab9756bd27f3009734ed

      SHA256

      70924977c57603c3f4f891951795650c96343308fff9ca30bff0140409c7d30c

      SHA512

      147a33e14145a0f21edcc53cf21b5300385df2deb484fc6eaafceb7e5704c2ac544e2d7f90f59fc4c4888cdbb1136feadd87b02f8ecb42b5fe4063e551bec83d

    • C:\Users\Admin\AppData\Roaming\mrsys.exe

      Filesize

      274KB

      MD5

      9f05a691f78e8d17aecf11899359e032

      SHA1

      aaca4b820e635eb3185cbe80bd2e2c57153bdb16

      SHA256

      88ec3881d38e661b5e8b765ae746077e6731e8c0633f7cbe3d2a1e9f13606188

      SHA512

      93b0ffd092b7df2d4a97215999bb0f390a21c429bcb1773ae4b9e1e5835b05ab22a216c75b61929a719ad6a745ea705f9f304c0cd3e9d34064ab83b785a51aec

    • C:\Windows\System\explorer.exe

      Filesize

      274KB

      MD5

      ee3bb80a17e784208ee064a9972804d9

      SHA1

      2ccccf78ed71544d2d7eb3f6061503f1ec43f382

      SHA256

      12f9cf0aa3a9ae624c2bbff658f69c9332075273ccfd1a55944752cf5671d0a8

      SHA512

      3250ca9d1a6376e54b3e947ac0acaceb54ea020167168fea3cdf43794bdfa03d185e1bb242938641711dbb4cff92c09959419194ce1e16b5e4083bf5c62244fb

    • C:\Windows\System\spoolsv.exe

      Filesize

      274KB

      MD5

      c1f12aae0eba0d785523e37b0aa223b1

      SHA1

      05a2848b129a479036815c22dff67d2403bed7aa

      SHA256

      f12b7510c069a227438eb82e9121d3b43d376ecc69f6b999d506ba33e26a71af

      SHA512

      6f94a700ad531de7a597dca50a3c63c81333f1b9996dc1c450c4452c1503b603ccf4884229904d4563eba1b8e94eb70758819a6da88f925d83960a2225a65a6a

    • C:\Windows\System\svchost.exe

      Filesize

      274KB

      MD5

      7fdb2bdc416441ee6e8528cb1fe57c72

      SHA1

      9b18b285b8c225a6b3fd212932f2076ae1a2e338

      SHA256

      b8a023ee2791d0bcc764aa845caf0d677e319bdfa62b5ff0cfab04e733f6c92f

      SHA512

      f3ce84af36e86e9b2cac67b6ac8dce9cc943f824f8fb04daa39267cdac09cb691a1d7f7dda824f8f1bd0152608da76bb5e482c986a19457cf5754dac476bf801

    • memory/724-52-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1672-61-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1960-54-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/1960-17-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2000-57-0x0000000074540000-0x0000000074CF0000-memory.dmp

      Filesize

      7.7MB

    • memory/2000-56-0x000000007454E000-0x000000007454F000-memory.dmp

      Filesize

      4KB

    • memory/2000-9-0x000000007454E000-0x000000007454F000-memory.dmp

      Filesize

      4KB

    • memory/2000-12-0x0000000005260000-0x00000000052FC000-memory.dmp

      Filesize

      624KB

    • memory/2000-11-0x00000000058D0000-0x0000000005E74000-memory.dmp

      Filesize

      5.6MB

    • memory/2000-10-0x0000000000840000-0x000000000088A000-memory.dmp

      Filesize

      296KB

    • memory/2000-60-0x0000000074540000-0x0000000074CF0000-memory.dmp

      Filesize

      7.7MB

    • memory/2000-13-0x0000000074540000-0x0000000074CF0000-memory.dmp

      Filesize

      7.7MB

    • memory/2000-59-0x0000000006820000-0x0000000006870000-memory.dmp

      Filesize

      320KB

    • memory/2000-58-0x0000000006990000-0x0000000006B52000-memory.dmp

      Filesize

      1.8MB

    • memory/2748-0-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/2748-55-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4432-49-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB

    • memory/4580-62-0x0000000000400000-0x000000000043E000-memory.dmp

      Filesize

      248KB