Overview

overview

10

Static

static

3

DHL Delive...om.exe

windows7-x64

10

DHL Delive...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    14-11-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Delivery Invoice.com.exe

  • Size

    784KB

  • MD5

    f45d95d9be611f61ba9f193ea4676eae

  • SHA1

    8cf82904cb76d2476b5ff36b9072c65b5c414ede

  • SHA256

    e3d34efa98ab95227b84ed48a65ce73b3875f3c0ceaab5ac821fdecb37392eb9

  • SHA512

    4f0597df3e489d6ef23432a7321542ff08965a5fa93198c039e005a86dcdaa9abb60eae484c9cac949fa9d2db6d7548f797af73a6fd8f5bd20ee1a836258aedf

  • SSDEEP

    24576:A5CJVwLNNNizk+m0v5C8IomqxL8q0A9O6y:AY6vNmm0v5Tv/8m9y

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2824
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2392
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KZgaxkBH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2172
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KZgaxkBH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE93.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:480
    • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpEE93.tmp
    Filesize

    1KB

    MD5

    9c8aa8faf0a185d0c258446e37d45b74

    SHA1

    6e82dc448a0812d48ea52f4f1db8489a85bad4b8

    SHA256

    d5e8f9d8c79a6875df3b499d9079970718d25e5fd9c95440be40312067c1679d

    SHA512

    e66b0e93ae71d9d256d5b6ccc381e4496c6db03bcddeba8fe98699dc66e8c1b8e489e4f5205718bd663e9b045b3bf883f8ed9773ce4829ccbde75a0f8b6614fb

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    796efcb8db746c80facfac689ab05a56

    SHA1

    35cf48d807a5cb7c386bcbeefb60bec3e0db185f

    SHA256

    25012bf4d8fc981aafdd01665a808f8aecfc316e4d8363b295dc2d06a17dd868

    SHA512

    645b85c293ba2b9cf5161cf8ab4f63fdbd3f35b645d2bba0f68e33a4563abfc654406232d6d98852488b99cfc51fa76c1a32c2f20343e0b1aecf9966410dfde7

    Download Submit

  • memory/2768-30-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-19-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-23-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-25-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2768-29-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-28-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2768-21-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/2824-6-0x0000000005DA0000-0x0000000005E2E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2824-1-0x0000000000940000-0x0000000000A0A000-memory.dmp

    Filesize

    808KB

    Download

  • memory/2824-0-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-2-0x0000000073C30000-0x000000007431E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-3-0x00000000003A0000-0x00000000003B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2824-5-0x0000000073C30000-0x000000007431E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2824-4-0x0000000073C3E000-0x0000000073C3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2824-31-0x0000000073C30000-0x000000007431E000-memory.dmp

    Filesize

    6.9MB

    Download