Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
107s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/10/2024, 02:15
Static task
static1
Behavioral task
behavioral1
Sample
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
Resource
win10v2004-20241007-en
General
-
Target
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe
-
Size
1.2MB
-
MD5
c70b9019ad3bef9b820d658aa8cde813
-
SHA1
3863990d0e827fa3487ae4a5aab5c7162b7565f3
-
SHA256
c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154
-
SHA512
1e3d180d7ba5a8f9e0a47b2d3ed81d28b9d773120171ee0b22d49b055c2307dddf279080f474a28ffd889084afc7270be873d1f52c235068f0253f1a0330d62e
-
SSDEEP
24576:GAHnh+eWsN3skA4RV1Hom2KXMmHav571Umq1sNso5:hh+ZkldoPK8YahhZq29
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7453999531:AAHcCXOdvbDJaILEpGPNgNPm4mcYsRwgAYI/sendMessage?chat_id=6200738063
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
pid Process 4616 name.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000e000000023b74-8.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4616 set thread context of 1636 4616 name.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language name.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1636 RegSvcs.exe 1636 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 4616 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1636 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 4616 name.exe 4616 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 4616 name.exe 4616 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2032 wrote to memory of 4616 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 86 PID 2032 wrote to memory of 4616 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 86 PID 2032 wrote to memory of 4616 2032 c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe 86 PID 4616 wrote to memory of 1636 4616 name.exe 87 PID 4616 wrote to memory of 1636 4616 name.exe 87 PID 4616 wrote to memory of 1636 4616 name.exe 87 PID 4616 wrote to memory of 1636 4616 name.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1636
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270KB
MD5ea843488ca14c5edcdcfb5110f163795
SHA1d047ec7badd1087c00dbe3786cc07ff8fc488e99
SHA2568d2198beec114f226b4a092894ee1d97569694db901ebb8020a32dff44d4c641
SHA51270b44d3f2d03592a7bb3c7f8821d58347274062c3efa9e4612db2ffec4746f2720e045f015637b9fc5ecf5fc9c0f783bd4867d8988a8bd826ea0c52f334d6910
-
Filesize
1.2MB
MD5c70b9019ad3bef9b820d658aa8cde813
SHA13863990d0e827fa3487ae4a5aab5c7162b7565f3
SHA256c2785c5668377424e7d8382d5f16de0d07eda9c394f23bf6c698b4627925c154
SHA5121e3d180d7ba5a8f9e0a47b2d3ed81d28b9d773120171ee0b22d49b055c2307dddf279080f474a28ffd889084afc7270be873d1f52c235068f0253f1a0330d62e