Overview

overview

10

Static

static

3

DHL Delive...om.exe

windows7-x64

10

DHL Delive...om.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-11-2024 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Delivery Invoice.com.exe

  • Size

    784KB

  • MD5

    f45d95d9be611f61ba9f193ea4676eae

  • SHA1

    8cf82904cb76d2476b5ff36b9072c65b5c414ede

  • SHA256

    e3d34efa98ab95227b84ed48a65ce73b3875f3c0ceaab5ac821fdecb37392eb9

  • SHA512

    4f0597df3e489d6ef23432a7321542ff08965a5fa93198c039e005a86dcdaa9abb60eae484c9cac949fa9d2db6d7548f797af73a6fd8f5bd20ee1a836258aedf

  • SSDEEP

    24576:A5CJVwLNNNizk+m0v5C8IomqxL8q0A9O6y:AY6vNmm0v5Tv/8m9y

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4352
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KZgaxkBH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2636
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KZgaxkBH" /XML "C:\Users\Admin\AppData\Local\Temp\tmp356.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1820
    • C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Delivery Invoice.com.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1772

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    39606aa58f7b066d3ac30532f33e1af0

    SHA1

    14587969820cd731f561c31195569e2a364a49ee

    SHA256

    2b42aab0c37188644bed598d31b618274e4ab8208235df645afff0ccf769b631

    SHA512

    d7251c01eea79a6a06526b4c6758cae128530d3d21e149ce0389b66ca317d92ec201298b9403cffcaef37f4e1f27cc3d813ae6f1d87b05bb50cc792b118a9f39

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ly4r4azf.0hj.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp356.tmp
    Filesize

    1KB

    MD5

    d3970cd4bae82f18b32078e3b9b3e571

    SHA1

    6a718ae6ac7ddcbcc38ed0ffcf20ace519437767

    SHA256

    c636ec0ecdc5574ae9e74e0ac71a85a584118774cd060f757c877524632b970e

    SHA512

    8b9586ca07aa066416119f596022a817929682fa44fdb7dc791b64cf2dc365f216e79017018345f0492b79d32c26e1b383ddfad0762c738ee3945d9fb161c885

    Download Submit

  • memory/1772-90-0x0000000006F30000-0x00000000070F2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1772-91-0x0000000006DB0000-0x0000000006E00000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1772-46-0x0000000000400000-0x0000000000448000-memory.dmp

    Filesize

    288KB

    Download

  • memory/1772-92-0x0000000007A00000-0x0000000007F2C000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2636-89-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-82-0x0000000007C20000-0x0000000007C28000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2636-64-0x000000006FBE0000-0x000000006FC2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2636-45-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-31-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2636-25-0x0000000005FC0000-0x0000000006314000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2636-19-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4352-17-0x00000000057E0000-0x0000000005E08000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4352-80-0x0000000007BA0000-0x0000000007BB4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4352-21-0x0000000005570000-0x0000000005592000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4352-23-0x0000000005FF0000-0x0000000006056000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4352-22-0x0000000005E10000-0x0000000005E76000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4352-24-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4352-16-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4352-88-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4352-15-0x0000000005070000-0x00000000050A6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4352-81-0x0000000007CA0000-0x0000000007CBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4352-18-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4352-47-0x0000000006610000-0x000000000662E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4352-79-0x0000000007B90000-0x0000000007B9E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4352-49-0x0000000006BC0000-0x0000000006C0C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4352-52-0x000000006FBE0000-0x000000006FC2C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4352-51-0x0000000007600000-0x0000000007632000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4352-62-0x00000000075C0000-0x00000000075DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4352-63-0x0000000007640000-0x00000000076E3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4352-78-0x0000000007B60000-0x0000000007B71000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4352-75-0x0000000007960000-0x000000000797A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4352-74-0x0000000007FA0000-0x000000000861A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4352-76-0x00000000079D0000-0x00000000079DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4352-77-0x0000000007BE0000-0x0000000007C76000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4380-8-0x000000007468E000-0x000000007468F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4380-50-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4380-9-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4380-10-0x0000000008DE0000-0x0000000008E6E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/4380-7-0x0000000005C40000-0x0000000005C52000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4380-6-0x0000000074680000-0x0000000074E30000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4380-5-0x0000000005980000-0x000000000598A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4380-4-0x0000000005A90000-0x0000000005B2C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4380-0-0x000000007468E000-0x000000007468F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4380-3-0x00000000059F0000-0x0000000005A82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4380-2-0x0000000005F00000-0x00000000064A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4380-1-0x0000000000EC0000-0x0000000000F8A000-memory.dmp

    Filesize

    808KB

    Download