Analysis Overview
SHA256
93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef
Threat Level: Known bad
The file 93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Vipkeylogger family
Loads dropped DLL
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-12 02:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-12 02:41
Reported
2024-11-12 02:43
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2156 set thread context of 2840 | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\gnatty\mataeotechny.gui | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"
C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.117.18:80 | crl.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsoA2E5.tmp\System.dll
| MD5 | 7399323923e3946fe9140132ac388132 |
| SHA1 | 728257d06c452449b1241769b459f091aabcffc5 |
| SHA256 | 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3 |
| SHA512 | d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1 |
memory/2156-18-0x0000000077621000-0x0000000077722000-memory.dmp
memory/2156-19-0x0000000077620000-0x00000000777C9000-memory.dmp
memory/2840-20-0x0000000077620000-0x00000000777C9000-memory.dmp
memory/2840-40-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2840-41-0x0000000000490000-0x00000000014F2000-memory.dmp
memory/2840-42-0x0000000000490000-0x00000000004D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-12 02:41
Reported
2024-11-12 02:43
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
139s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4296 set thread context of 800 | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\resources\gnatty\mataeotechny.gui | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"
C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 800 -ip 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 2288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nse9CED.tmp\System.dll
| MD5 | 7399323923e3946fe9140132ac388132 |
| SHA1 | 728257d06c452449b1241769b459f091aabcffc5 |
| SHA256 | 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3 |
| SHA512 | d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1 |
memory/4296-18-0x0000000077171000-0x0000000077291000-memory.dmp
memory/4296-20-0x0000000010004000-0x0000000010005000-memory.dmp
memory/4296-19-0x0000000077171000-0x0000000077291000-memory.dmp
memory/800-21-0x00000000771F8000-0x00000000771F9000-memory.dmp
memory/800-22-0x0000000077215000-0x0000000077216000-memory.dmp
memory/800-36-0x0000000077171000-0x0000000077291000-memory.dmp
memory/800-35-0x0000000000490000-0x00000000016E4000-memory.dmp
memory/800-37-0x000000007206E000-0x000000007206F000-memory.dmp
memory/800-38-0x0000000000490000-0x00000000004D8000-memory.dmp
memory/800-39-0x0000000037DC0000-0x0000000038364000-memory.dmp
memory/800-40-0x0000000035990000-0x0000000035A2C000-memory.dmp
memory/800-41-0x0000000072060000-0x0000000072810000-memory.dmp
memory/800-44-0x0000000072060000-0x0000000072810000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-11-12 02:41
Reported
2024-11-12 02:43
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 224
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-11-12 02:41
Reported
2024-11-12 02:43
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
141s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 888 wrote to memory of 4404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 888 wrote to memory of 4404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 888 wrote to memory of 4404 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |