Analysis
-
max time kernel
5s -
max time network
9s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
Resource
win10v2004-20240802-en
General
-
Target
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe
-
Size
1.5MB
-
MD5
4e78f6aefc51d6c727cb3c1e4bf0fb81
-
SHA1
7fa38adc2c202186ff20386b4e2e5243b202b81b
-
SHA256
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9
-
SHA512
2a94650ec86f1b96ff39b6c6664c845264795a9277d88c03704d0352af6b0713a92b03ca2dbd02c00891e5993ee8f65e8217259a41e0a181e75e8093840534d8
-
SSDEEP
24576:b062cSEk8zNlLvC3nrOvC/RTXn036CcS2X9+R3qYpsSMZoCM+GjhHBATdI:A6PayQrlRjc6phQ8SM/GvAe
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Executes dropped EXE 1 IoCs
Processes:
encrypted.exepid process 2776 encrypted.exe -
Loads dropped DLL 1 IoCs
Processes:
WScript.exepid process 2732 WScript.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
encrypted.exepid process 2776 encrypted.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
encrypted.exedescription pid process Token: SeDebugPrivilege 2776 encrypted.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exeWScript.exedescription pid process target process PID 2264 wrote to memory of 2732 2264 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2264 wrote to memory of 2732 2264 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2264 wrote to memory of 2732 2264 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2264 wrote to memory of 2732 2264 8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe WScript.exe PID 2732 wrote to memory of 2776 2732 WScript.exe encrypted.exe PID 2732 wrote to memory of 2776 2732 WScript.exe encrypted.exe PID 2732 wrote to memory of 2776 2732 WScript.exe encrypted.exe PID 2732 wrote to memory of 2776 2732 WScript.exe encrypted.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"C:\Users\Admin\AppData\Local\Temp\8db24332a5fab95f955dafe3fcac34cf932d9d0afa6b6d3a2406cc09304171b9.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\run.vbs"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\encrypted.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5f01725be4af17d500bf5121780b3d304
SHA14ba42ced4db6a5173ece265424b26b32ececbbd6
SHA256a6d95538d1d2f4031e10ff3a1258400a3f471fe64e14ff2dc9808c28334d0cea
SHA51268d39578c162f03c64617b82d8c242afb8278fa31476e116a29c83138fc804d75aefffe7e956ba8ffe6d5b2253f83d704212a166df1dc57e58b502fcdfdbed26
-
Filesize
190B
MD599b17143c77785dec72b12bf9fde7389
SHA1fe803b2b32e187644433795fd26798122dc284fe
SHA256e5c84ef4a1599f6f8130f70109bba6e6ba04439d10601c06834e36d31012f8e1
SHA51249282594bde69abe29c01f866371dbb0b3eb2b46c6108a1e86e25a612afed4d74aa92ed930cde0c19c1696602730ac2df38b8dd3f4798eb763ade9c1c2ab2e4d