Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
NEW90FL0OtSHAz.bat.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
NEW90FL0OtSHAz.bat.exe
Resource
win10v2004-20241007-en
General
-
Target
NEW90FL0OtSHAz.bat.exe
-
Size
714KB
-
MD5
884a8f2e4c08dc7ae2365112da323629
-
SHA1
715ca2cd2b469a7db50c1405dbb311cdb2a04b33
-
SHA256
42f45b8d26258e4b40387bda1c948fc89e3754d735ed0b69a5baaf02678ab496
-
SHA512
8b624003c7f320e5be6a7d672d9919258ac2014a03b3e467a10265a2d661f833ff96f94ac296dd9b248e836b7a105012f3eb453e87e27a0f2828d23973673c24
-
SSDEEP
12288:cUyIR4R52J+XtmucV6XShTHbkRV5G6tEIYqAaFbXsq2x9HNQQOLAWfbFQCBIR:cUyIeeRP7hT7kRVsKEIYkFbXsq+FNQQ/
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2676 powershell.exe 2748 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW90FL0OtSHAz.bat.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW90FL0OtSHAz.bat.exe Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW90FL0OtSHAz.bat.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2828 set thread context of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NEW90FL0OtSHAz.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NEW90FL0OtSHAz.bat.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1660 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 2828 NEW90FL0OtSHAz.bat.exe 1844 NEW90FL0OtSHAz.bat.exe 2748 powershell.exe 2676 powershell.exe 1844 NEW90FL0OtSHAz.bat.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2828 NEW90FL0OtSHAz.bat.exe Token: SeDebugPrivilege 1844 NEW90FL0OtSHAz.bat.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2676 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2676 2828 NEW90FL0OtSHAz.bat.exe 30 PID 2828 wrote to memory of 2676 2828 NEW90FL0OtSHAz.bat.exe 30 PID 2828 wrote to memory of 2676 2828 NEW90FL0OtSHAz.bat.exe 30 PID 2828 wrote to memory of 2676 2828 NEW90FL0OtSHAz.bat.exe 30 PID 2828 wrote to memory of 2748 2828 NEW90FL0OtSHAz.bat.exe 32 PID 2828 wrote to memory of 2748 2828 NEW90FL0OtSHAz.bat.exe 32 PID 2828 wrote to memory of 2748 2828 NEW90FL0OtSHAz.bat.exe 32 PID 2828 wrote to memory of 2748 2828 NEW90FL0OtSHAz.bat.exe 32 PID 2828 wrote to memory of 1660 2828 NEW90FL0OtSHAz.bat.exe 34 PID 2828 wrote to memory of 1660 2828 NEW90FL0OtSHAz.bat.exe 34 PID 2828 wrote to memory of 1660 2828 NEW90FL0OtSHAz.bat.exe 34 PID 2828 wrote to memory of 1660 2828 NEW90FL0OtSHAz.bat.exe 34 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 PID 2828 wrote to memory of 1844 2828 NEW90FL0OtSHAz.bat.exe 36 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW90FL0OtSHAz.bat.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 NEW90FL0OtSHAz.bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW90FL0OtSHAz.bat.exe"C:\Users\Admin\AppData\Local\Temp\NEW90FL0OtSHAz.bat.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW90FL0OtSHAz.bat.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2676
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ypLZKtXxGIG.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ypLZKtXxGIG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC699.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1660
-
-
C:\Users\Admin\AppData\Local\Temp\NEW90FL0OtSHAz.bat.exe"C:\Users\Admin\AppData\Local\Temp\NEW90FL0OtSHAz.bat.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1844
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53d700a874ccc697a952b9d1aa3b8e862
SHA174a3497f6d5cf097ea300dba7b86841c6cad0e9d
SHA25698f24cc6ac9dbfccbd188fe3939297285f15a87713e1e890303c1a37cfa71e59
SHA5124bb7f59577f532b31fdd0b35ebdc10ad34acb4d261782c3859355744424857877c7c46ea75c0ff1596a0e1077ccadbf6161d2ac548ef9612dde6229fcc6772cc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD52e5284816c8941ca210b9a6d57713069
SHA1a3a2a40d9452604b4edeba28d2d560b4c46990f6
SHA2566c3b92794a78e3deed29d1f64ce5c61fb72182647c6c95721ec0a84e090bbfc6
SHA512d7ae8b04795be2744a020d2e3f04dd222fa27a269d8d845f589242a20844d3f481b8e5e1b309c24828f56e9435e1fe4180eb6668932eae8828d84441546e7d70