Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2024 17:02
Behavioral task
behavioral1
Sample
e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe
Resource
win10v2004-20241007-en
General
-
Target
e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe
-
Size
646KB
-
MD5
34e3967c8143fb8822936f1a463b72df
-
SHA1
ddd217ba236011c11af70a60e5942f345cc5039a
-
SHA256
e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777
-
SHA512
4e1633b036e3dfe3405f6580903a938a7f6b43848e4408e2573478b4172e2236ccff8683f982c22cf2a70bf56c9967395ef7c7a5dd58a29cdf244aaa796dcc68
-
SSDEEP
12288:wOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiOHGu+4EIppaL+YQRUXi1h5QryNnts:wq5TfcdHj4fmboOci0kPNnmN
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\juvenile.vbs juvenile.exe -
Executes dropped EXE 2 IoCs
pid Process 2804 juvenile.exe 900 juvenile.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4636-13-0x0000000000EC0000-0x0000000001035000-memory.dmp autoit_exe behavioral2/memory/2804-22-0x0000000000F10000-0x0000000001310000-memory.dmp autoit_exe behavioral2/memory/2804-27-0x00000000007C0000-0x0000000000935000-memory.dmp autoit_exe behavioral2/memory/900-35-0x0000000001180000-0x0000000001580000-memory.dmp autoit_exe behavioral2/memory/900-38-0x00000000007C0000-0x0000000000935000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 900 set thread context of 2960 900 juvenile.exe 86 -
resource yara_rule behavioral2/memory/4636-0-0x0000000000EC0000-0x0000000001035000-memory.dmp upx behavioral2/files/0x0007000000023ca3-10.dat upx behavioral2/memory/2804-14-0x00000000007C0000-0x0000000000935000-memory.dmp upx behavioral2/memory/4636-13-0x0000000000EC0000-0x0000000001035000-memory.dmp upx behavioral2/memory/900-25-0x00000000007C0000-0x0000000000935000-memory.dmp upx behavioral2/memory/2804-27-0x00000000007C0000-0x0000000000935000-memory.dmp upx behavioral2/memory/900-38-0x00000000007C0000-0x0000000000935000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juvenile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language juvenile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2960 svchost.exe 2960 svchost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2804 juvenile.exe 900 juvenile.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2960 svchost.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 2804 juvenile.exe 2804 juvenile.exe 900 juvenile.exe 900 juvenile.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 2804 juvenile.exe 2804 juvenile.exe 900 juvenile.exe 900 juvenile.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4636 wrote to memory of 2804 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 83 PID 4636 wrote to memory of 2804 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 83 PID 4636 wrote to memory of 2804 4636 e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe 83 PID 2804 wrote to memory of 4384 2804 juvenile.exe 84 PID 2804 wrote to memory of 4384 2804 juvenile.exe 84 PID 2804 wrote to memory of 4384 2804 juvenile.exe 84 PID 2804 wrote to memory of 900 2804 juvenile.exe 85 PID 2804 wrote to memory of 900 2804 juvenile.exe 85 PID 2804 wrote to memory of 900 2804 juvenile.exe 85 PID 900 wrote to memory of 2960 900 juvenile.exe 86 PID 900 wrote to memory of 2960 900 juvenile.exe 86 PID 900 wrote to memory of 2960 900 juvenile.exe 86 PID 900 wrote to memory of 2960 900 juvenile.exe 86 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\stickers\juvenile.exe"C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777.exe"3⤵PID:4384
-
-
C:\Users\Admin\AppData\Local\stickers\juvenile.exe"C:\Users\Admin\AppData\Local\stickers\juvenile.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\stickers\juvenile.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2960
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
202KB
MD5de5fce3585b77aa715056dc91d0529c5
SHA1d6ad461bc4af90ee8e567cffeb0e8de04f38f149
SHA2564430dc7364a325da5a9f30acd015e19179d8650d61f5eb26a92e26518d4a7001
SHA512de7f6eb4836295a1ae479a02037c409e1fd383cc23424f33e0cc24aa9a495308659f97396b4880f48b50678e5af8b70a2814b9e1df506b6d3318d237a82b85aa
-
Filesize
203KB
MD5004342bff4643c4e466635fb48796bf2
SHA10264461a4a53fba318714fc2c14732c435abc0dd
SHA25624daf9c73dc4beb4f9215dc571b05a39a19b45719fb60e0fb82af9071a91ff00
SHA512ef0c340ec0d6c818127041319746e8f0368e91e58a44a362985e9f45deaf447a1f52924607dffb82b964897877fd46295207d24c20c2adb35b9f4fe23971c9b0
-
Filesize
646KB
MD534e3967c8143fb8822936f1a463b72df
SHA1ddd217ba236011c11af70a60e5942f345cc5039a
SHA256e4ee3b0145b6c859815fd11a158334d23fdb015f4d225ed6e0dae2a4a7c82777
SHA5124e1633b036e3dfe3405f6580903a938a7f6b43848e4408e2573478b4172e2236ccff8683f982c22cf2a70bf56c9967395ef7c7a5dd58a29cdf244aaa796dcc68