Malware Analysis Report

2024-12-07 14:10

Sample ID 241112-c6kr1asjhy
Target 93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
SHA256 93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef
Tags
vipkeylogger discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef

Threat Level: Known bad

The file 93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery keylogger stealer

VIPKeylogger

Vipkeylogger family

Loads dropped DLL

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-12 02:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-12 02:41

Reported

2024-11-12 02:43

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\gnatty\mataeotechny.gui C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe
PID 2156 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe

Processes

C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsoA2E5.tmp\System.dll

MD5 7399323923e3946fe9140132ac388132
SHA1 728257d06c452449b1241769b459f091aabcffc5
SHA256 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512 d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

memory/2156-18-0x0000000077621000-0x0000000077722000-memory.dmp

memory/2156-19-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2840-20-0x0000000077620000-0x00000000777C9000-memory.dmp

memory/2840-40-0x0000000000490000-0x00000000014F2000-memory.dmp

memory/2840-41-0x0000000000490000-0x00000000014F2000-memory.dmp

memory/2840-42-0x0000000000490000-0x00000000004D8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-12 02:41

Reported

2024-11-12 02:43

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\gnatty\mataeotechny.gui C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe

"C:\Users\Admin\AppData\Local\Temp\93cd630026182d693fec819abe05948efd94f9249ba58ed590055473e9e951ef.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 800 -ip 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 2288

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse9CED.tmp\System.dll

MD5 7399323923e3946fe9140132ac388132
SHA1 728257d06c452449b1241769b459f091aabcffc5
SHA256 5a1c20a3e2e2eb182976977669f2c5d9f3104477e98f74d69d2434e79b92fdc3
SHA512 d6f28ba761351f374ae007c780be27758aea7b9f998e2a88a542eede459d18700adffe71abcb52b8a8c00695efb7ccc280175b5eeb57ca9a645542edfabb64f1

memory/4296-18-0x0000000077171000-0x0000000077291000-memory.dmp

memory/4296-20-0x0000000010004000-0x0000000010005000-memory.dmp

memory/4296-19-0x0000000077171000-0x0000000077291000-memory.dmp

memory/800-21-0x00000000771F8000-0x00000000771F9000-memory.dmp

memory/800-22-0x0000000077215000-0x0000000077216000-memory.dmp

memory/800-36-0x0000000077171000-0x0000000077291000-memory.dmp

memory/800-35-0x0000000000490000-0x00000000016E4000-memory.dmp

memory/800-37-0x000000007206E000-0x000000007206F000-memory.dmp

memory/800-38-0x0000000000490000-0x00000000004D8000-memory.dmp

memory/800-39-0x0000000037DC0000-0x0000000038364000-memory.dmp

memory/800-40-0x0000000035990000-0x0000000035A2C000-memory.dmp

memory/800-41-0x0000000072060000-0x0000000072810000-memory.dmp

memory/800-44-0x0000000072060000-0x0000000072810000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-11-12 02:41

Reported

2024-11-12 02:43

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-11-12 02:41

Reported

2024-11-12 02:43

Platform

win10v2004-20241007-en

Max time kernel

95s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 888 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 888 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 888 wrote to memory of 4404 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4404 -ip 4404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4404 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A