Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 19:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ViperX.exe
Resource
win7-20240903-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ViperX.exe
Resource
win10v2004-20241007-en
4 signatures
150 seconds
General
-
Target
ViperX.exe
-
Size
2.4MB
-
MD5
192911b0fb520129c8cdf0eed111fb72
-
SHA1
4cd807c8e0cd0e196958dd0c9c7b374e5220b859
-
SHA256
3c223398b417e25d9299367ef9204894794a5600e6bb6ad6a52837ce9c27c2c8
-
SHA512
008fb625896319cf48651e82ae96d01df9aaad09a63b08245e6631c4a4a6c67d5a1f949ec141ccf9f6546358ca91dfab698df8c32063e3df3f1c1d2021c6e935
-
SSDEEP
49152:YXcgX/D+npvQOZITYbNbNWo4kSH3OqtwIjkqXfd+/9A3NHR+tkAaJC/:YXcYCJQOZIT4bNJFY3OqtXkqXf0FSJuC
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViperX.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2752 timeout.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ViperX.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ViperX.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1696 ViperX.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1696 wrote to memory of 2536 1696 ViperX.exe 30 PID 1696 wrote to memory of 2536 1696 ViperX.exe 30 PID 1696 wrote to memory of 2536 1696 ViperX.exe 30 PID 1696 wrote to memory of 2536 1696 ViperX.exe 30 PID 2536 wrote to memory of 2276 2536 cmd.exe 32 PID 2536 wrote to memory of 2276 2536 cmd.exe 32 PID 2536 wrote to memory of 2276 2536 cmd.exe 32 PID 2536 wrote to memory of 2276 2536 cmd.exe 32 PID 2276 wrote to memory of 2752 2276 cmd.exe 34 PID 2276 wrote to memory of 2752 2276 cmd.exe 34 PID 2276 wrote to memory of 2752 2276 cmd.exe 34 PID 2276 wrote to memory of 2752 2276 cmd.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\ViperX.exe"C:\Users\Admin\AppData\Local\Temp\ViperX.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"code":68,"message":"Initialized","sessionid":"bffbba5d","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"1.0","customerPanelLink":"https://keyauth.cc/panel/Rayen22/ViperX Project/"},"newSession":true,"nonce":"8fb390e1-95c2-4568-9d6a-43a2683a82de","ownerid":"1UYjXQHjss"} && timeout /t 5"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"code":68,"message":"Initialized","sessionid":"bffbba5d","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"1.0","customerPanelLink":"https://keyauth.cc/panel/Rayen22/ViperX Project/"},"newSession":true,"nonce":"8fb390e1-95c2-4568-9d6a-43a2683a82de","ownerid":"1UYjXQHjss"} && timeout /t 5"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2752
-
-
-