Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2024 17:02

General

  • Target

    e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe

  • Size

    646KB

  • MD5

    34e3967c8143fb8822936f1a463b72df

  • SHA1

    ddd217ba236011c11af70a60e5942f345cc5039a

  • SHA256

    e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777

  • SHA512

    4e1633b036e3dfe3405f6580903a938a7f6b43848e4408e2573478b4172e2236ccff8683f982c22cf2a70bf56c9967395ef7c7a5dd58a29cdf244aaa796dcc68

  • SSDEEP

    12288:wOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiOHGu+4EIppaL+YQRUXi1h5QryNnts:wq5TfcdHj4fmboOci0kPNnmN

Malware Config

Extracted

Family

vipkeylogger

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 5 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe
    "C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Users\Admin\AppData\Local\stickers\juvenile.exe
      "C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"
        3⤵
          PID:4384
        • C:\Users\Admin\AppData\Local\stickers\juvenile.exe
          "C:\Users\Admin\AppData\Local\stickers\juvenile.exe"
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:900
          • C:\Windows\SysWOW64\svchost.exe
            "C:\Users\Admin\AppData\Local\stickers\juvenile.exe"
            4⤵
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2960

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\autBB41.tmp

      Filesize

      202KB

      MD5

      de5fce3585b77aa715056dc91d0529c5

      SHA1

      d6ad461bc4af90ee8e567cffeb0e8de04f38f149

      SHA256

      4430dc7364a325da5a9f30acd015e19179d8650d61f5eb26a92e26518d4a7001

      SHA512

      de7f6eb4836295a1ae479a02037c409e1fd383cc23424f33e0cc24aa9a495308659f97396b4880f48b50678e5af8b70a2814b9e1df506b6d3318d237a82b85aa

    • C:\Users\Admin\AppData\Local\Temp\recomplete

      Filesize

      203KB

      MD5

      004342bff4643c4e466635fb48796bf2

      SHA1

      0264461a4a53fba318714fc2c14732c435abc0dd

      SHA256

      24daf9c73dc4beb4f9215dc571b05a39a19b45719fb60e0fb82af9071a91ff00

      SHA512

      ef0c340ec0d6c818127041319746e8f0368e91e58a44a362985e9f45deaf447a1f52924607dffb82b964897877fd46295207d24c20c2adb35b9f4fe23971c9b0

    • C:\Users\Admin\AppData\Local\stickers\juvenile.exe

      Filesize

      646KB

      MD5

      34e3967c8143fb8822936f1a463b72df

      SHA1

      ddd217ba236011c11af70a60e5942f345cc5039a

      SHA256

      e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777

      SHA512

      4e1633b036e3dfe3405f6580903a938a7f6b43848e4408e2573478b4172e2236ccff8683f982c22cf2a70bf56c9967395ef7c7a5dd58a29cdf244aaa796dcc68

    • memory/900-38-0x00000000007C0000-0x0000000000935000-memory.dmp

      Filesize

      1.5MB

    • memory/900-35-0x0000000001180000-0x0000000001580000-memory.dmp

      Filesize

      4.0MB

    • memory/900-25-0x00000000007C0000-0x0000000000935000-memory.dmp

      Filesize

      1.5MB

    • memory/2804-14-0x00000000007C0000-0x0000000000935000-memory.dmp

      Filesize

      1.5MB

    • memory/2804-22-0x0000000000F10000-0x0000000001310000-memory.dmp

      Filesize

      4.0MB

    • memory/2804-27-0x00000000007C0000-0x0000000000935000-memory.dmp

      Filesize

      1.5MB

    • memory/2960-39-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/2960-43-0x0000000005700000-0x000000000574E000-memory.dmp

      Filesize

      312KB

    • memory/2960-36-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/2960-50-0x0000000006B90000-0x0000000006B9A000-memory.dmp

      Filesize

      40KB

    • memory/2960-49-0x0000000006DC0000-0x0000000006E52000-memory.dmp

      Filesize

      584KB

    • memory/2960-37-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/2960-40-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/2960-41-0x0000000005640000-0x0000000005690000-memory.dmp

      Filesize

      320KB

    • memory/2960-42-0x0000000005FB0000-0x0000000006554000-memory.dmp

      Filesize

      5.6MB

    • memory/2960-48-0x0000000000400000-0x0000000000437000-memory.dmp

      Filesize

      220KB

    • memory/2960-44-0x0000000005A00000-0x0000000005A9C000-memory.dmp

      Filesize

      624KB

    • memory/2960-47-0x0000000006A90000-0x0000000006AE0000-memory.dmp

      Filesize

      320KB

    • memory/2960-46-0x0000000006BF0000-0x0000000006DB2000-memory.dmp

      Filesize

      1.8MB

    • memory/4636-45-0x0000000001A10000-0x0000000001E10000-memory.dmp

      Filesize

      4.0MB

    • memory/4636-13-0x0000000000EC0000-0x0000000001035000-memory.dmp

      Filesize

      1.5MB

    • memory/4636-7-0x0000000001A10000-0x0000000001E10000-memory.dmp

      Filesize

      4.0MB

    • memory/4636-0-0x0000000000EC0000-0x0000000001035000-memory.dmp

      Filesize

      1.5MB