Analysis
-
max time kernel
141s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 06:35
Static task
static1
Behavioral task
behavioral1
Sample
Snurrevoddenes.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Snurrevoddenes.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Snurrevoddenes.exe
-
Size
814KB
-
MD5
4d05eac9c30331683fe59038aba0d873
-
SHA1
683812ee2e76037ac4cf1ad0858778fcea44bad6
-
SHA256
be0b05580938cea205cb3e035bf9f814327b30a59ea80bae55255530519d1fcd
-
SHA512
eb9f3cd33ee8fd311da446041450a62be3cdcae02c34fd01c2610355fa87795c77e2d0b8fc3208cbf699838f30a1160c6b1f81b20dd68c4fe2a2809ee5bae0a8
-
SSDEEP
24576:jvYV0HT73uFB1vuQoj5RvdulhTzGB/bNlVC7t:cOzaYQmZ5FNlVg
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8177184706:AAEJ0_bPTtjIc-PnjNdYNmARZ2fvBD17ZJI/sendMessage?chat_id=6198188190
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
Processes:
Snurrevoddenes.exepid Process 1848 Snurrevoddenes.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Snurrevoddenes.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Snurrevoddenes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Snurrevoddenes.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Snurrevoddenes.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Snurrevoddenes.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Stavemaaden = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Milkhouse180\\Lgehjlp.exe" Snurrevoddenes.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Snurrevoddenes.exepid Process 1996 Snurrevoddenes.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Snurrevoddenes.exeSnurrevoddenes.exepid Process 1848 Snurrevoddenes.exe 1996 Snurrevoddenes.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Snurrevoddenes.exedescription pid Process procid_target PID 1848 set thread context of 1996 1848 Snurrevoddenes.exe 93 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Snurrevoddenes.exeSnurrevoddenes.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snurrevoddenes.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Snurrevoddenes.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Snurrevoddenes.exepid Process 1996 Snurrevoddenes.exe 1996 Snurrevoddenes.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Snurrevoddenes.exepid Process 1848 Snurrevoddenes.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Snurrevoddenes.exedescription pid Process Token: SeDebugPrivilege 1996 Snurrevoddenes.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Snurrevoddenes.exedescription pid Process procid_target PID 1848 wrote to memory of 1996 1848 Snurrevoddenes.exe 93 PID 1848 wrote to memory of 1996 1848 Snurrevoddenes.exe 93 PID 1848 wrote to memory of 1996 1848 Snurrevoddenes.exe 93 PID 1848 wrote to memory of 1996 1848 Snurrevoddenes.exe 93 PID 1848 wrote to memory of 1996 1848 Snurrevoddenes.exe 93 -
outlook_office_path 1 IoCs
Processes:
Snurrevoddenes.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Snurrevoddenes.exe -
outlook_win_path 1 IoCs
Processes:
Snurrevoddenes.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Snurrevoddenes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Snurrevoddenes.exe"C:\Users\Admin\AppData\Local\Temp\Snurrevoddenes.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\Temp\Snurrevoddenes.exe"C:\Users\Admin\AppData\Local\Temp\Snurrevoddenes.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1996
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5fc90dfb694d0e17b013d6f818bce41b0
SHA13243969886d640af3bfa442728b9f0dff9d5f5b0
SHA2567fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6