Analysis
-
max time kernel
93s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ViperX.exe
Resource
win7-20240903-en
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
ViperX.exe
Resource
win10v2004-20241007-en
4 signatures
150 seconds
General
-
Target
ViperX.exe
-
Size
2.4MB
-
MD5
192911b0fb520129c8cdf0eed111fb72
-
SHA1
4cd807c8e0cd0e196958dd0c9c7b374e5220b859
-
SHA256
3c223398b417e25d9299367ef9204894794a5600e6bb6ad6a52837ce9c27c2c8
-
SHA512
008fb625896319cf48651e82ae96d01df9aaad09a63b08245e6631c4a4a6c67d5a1f949ec141ccf9f6546358ca91dfab698df8c32063e3df3f1c1d2021c6e935
-
SSDEEP
49152:YXcgX/D+npvQOZITYbNbNWo4kSH3OqtwIjkqXfd+/9A3NHR+tkAaJC/:YXcYCJQOZIT4bNJFY3OqtXkqXf0FSJuC
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ViperX.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2300 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1356 ViperX.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1356 wrote to memory of 3112 1356 ViperX.exe 86 PID 1356 wrote to memory of 3112 1356 ViperX.exe 86 PID 1356 wrote to memory of 3112 1356 ViperX.exe 86 PID 3112 wrote to memory of 4424 3112 cmd.exe 88 PID 3112 wrote to memory of 4424 3112 cmd.exe 88 PID 3112 wrote to memory of 4424 3112 cmd.exe 88 PID 4424 wrote to memory of 2300 4424 cmd.exe 90 PID 4424 wrote to memory of 2300 4424 cmd.exe 90 PID 4424 wrote to memory of 2300 4424 cmd.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ViperX.exe"C:\Users\Admin\AppData\Local\Temp\ViperX.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"code":68,"message":"Initialized","sessionid":"05d88ed2","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"1.0","customerPanelLink":"https://keyauth.cc/panel/Rayen22/ViperX Project/"},"newSession":true,"nonce":"b62dd3bc-261c-44af-8ab6-c3a9eb52943f","ownerid":"1UYjXQHjss"} && timeout /t 5"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":true,"code":68,"message":"Initialized","sessionid":"05d88ed2","appinfo":{"numUsers":"N/A - Use fetchStats() function in latest example","numOnlineUsers":"N/A - Use fetchStats() function in latest example","numKeys":"N/A - Use fetchStats() function in latest example","version":"1.0","customerPanelLink":"https://keyauth.cc/panel/Rayen22/ViperX Project/"},"newSession":true,"nonce":"b62dd3bc-261c-44af-8ab6-c3a9eb52943f","ownerid":"1UYjXQHjss"} && timeout /t 5"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2300
-
-
-