Analysis
-
max time kernel
133s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
PIOE56709876780002.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
PIOE56709876780002.exe
Resource
win10v2004-20241007-en
General
-
Target
PIOE56709876780002.exe
-
Size
1.2MB
-
MD5
ea3273984038ab81206e74dcf5c3f04e
-
SHA1
4cfedc14c31c4364382bf2865a14f82f3d2188db
-
SHA256
68a1fa9a0a9dc5fbd2746b1103dc4ced27824bf12d99c50eedad5b19a3f640de
-
SHA512
73d917ec4226de83d4b64e90d1d13243092ab21f43526bba9fbff27674640f2efb92462ba61ada50c9467501cbc12d2e7073a2c59e4b076a378f623430ff0796
-
SSDEEP
24576:5fmMv6Ckr7Mny5QtMdiJJCtLxLe6aiCH2aE:53v+7/5QtMDLheMY2/
Malware Config
Extracted
Protocol: smtp- Host:
mail.vvtrade.vn - Port:
587 - Username:
[email protected] - Password:
qVyP6qyv6MQCmZJBRs4t
Extracted
vipkeylogger
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Drops startup file 1 IoCs
Processes:
gunfights.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gunfights.vbs gunfights.exe -
Executes dropped EXE 1 IoCs
Processes:
gunfights.exepid process 4904 gunfights.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\harrowment\gunfights.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunfights.exedescription pid process target process PID 4904 set thread context of 2716 4904 gunfights.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PIOE56709876780002.exegunfights.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PIOE56709876780002.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gunfights.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
svchost.exepid process 2716 svchost.exe 2716 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
gunfights.exepid process 4904 gunfights.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeDebugPrivilege 2716 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
PIOE56709876780002.exegunfights.exepid process 4944 PIOE56709876780002.exe 4944 PIOE56709876780002.exe 4904 gunfights.exe 4904 gunfights.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
PIOE56709876780002.exegunfights.exepid process 4944 PIOE56709876780002.exe 4944 PIOE56709876780002.exe 4904 gunfights.exe 4904 gunfights.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
PIOE56709876780002.exegunfights.exedescription pid process target process PID 4944 wrote to memory of 4904 4944 PIOE56709876780002.exe gunfights.exe PID 4944 wrote to memory of 4904 4944 PIOE56709876780002.exe gunfights.exe PID 4944 wrote to memory of 4904 4944 PIOE56709876780002.exe gunfights.exe PID 4904 wrote to memory of 2716 4904 gunfights.exe svchost.exe PID 4904 wrote to memory of 2716 4904 gunfights.exe svchost.exe PID 4904 wrote to memory of 2716 4904 gunfights.exe svchost.exe PID 4904 wrote to memory of 2716 4904 gunfights.exe svchost.exe -
outlook_office_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Local\harrowment\gunfights.exe"C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\PIOE56709876780002.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2716
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
203KB
MD543b02edca7062d44acd3fd8f42d5078b
SHA175cf74ef3873aba176d9c7ba3deedb27f5cb699e
SHA256991de88756301141788f3728735c42d7ab6dd479abd59b3ffb0b3fe81f2e45d5
SHA51236a43298faf48d25f20ff22a1e456c928e0353843008bc70cc1412d5ea77d2f9cc3b157540b36d5139d179ea3388be38350a2c10e51af813b48dd8764c4f785f
-
Filesize
1.2MB
MD5ea3273984038ab81206e74dcf5c3f04e
SHA14cfedc14c31c4364382bf2865a14f82f3d2188db
SHA25668a1fa9a0a9dc5fbd2746b1103dc4ced27824bf12d99c50eedad5b19a3f640de
SHA51273d917ec4226de83d4b64e90d1d13243092ab21f43526bba9fbff27674640f2efb92462ba61ada50c9467501cbc12d2e7073a2c59e4b076a378f623430ff0796