Analysis
-
max time kernel
60s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 11:12
Static task
static1
Behavioral task
behavioral1
Sample
ff7e78da9c8e580229fe95dfdfe5b098.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ff7e78da9c8e580229fe95dfdfe5b098.exe
Resource
win10v2004-20241007-en
General
-
Target
ff7e78da9c8e580229fe95dfdfe5b098.exe
-
Size
909KB
-
MD5
ff7e78da9c8e580229fe95dfdfe5b098
-
SHA1
ab968e47e463f29426116753b0ca086fd5b33cdb
-
SHA256
cefa40083339d42320bc1f9ba33c578b8abe47e15eb0dd6b0ba2f734aa8f3d6d
-
SHA512
45517b8bc96613daeabb738a42188b8ef19b0ac2b53e3202f7d86f683dacdbe1c4a78414938ab5ad0b48b7c546bc89a78932e3b8a1dbf6604e59b4887de48409
-
SSDEEP
12288:v9Qw+JBpSqWsX8yViJMjLDXGn6pYn21S20YDOcAvrFa1:lUJBp3WxqiJs2IYn21SwacAv
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7339564661:AAFzTB6gEWMndjXYyD5LCn17UEBISRR8wDI/sendMessage?chat_id=6443825857
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 3024 powershell.exe 2840 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff7e78da9c8e580229fe95dfdfe5b098.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff7e78da9c8e580229fe95dfdfe5b098.exe Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff7e78da9c8e580229fe95dfdfe5b098.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1456 set thread context of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff7e78da9c8e580229fe95dfdfe5b098.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ff7e78da9c8e580229fe95dfdfe5b098.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2932 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 2648 ff7e78da9c8e580229fe95dfdfe5b098.exe 2840 powershell.exe 3024 powershell.exe 2648 ff7e78da9c8e580229fe95dfdfe5b098.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe Token: SeDebugPrivilege 2648 ff7e78da9c8e580229fe95dfdfe5b098.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 3024 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 1456 wrote to memory of 3024 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 29 PID 1456 wrote to memory of 3024 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 29 PID 1456 wrote to memory of 3024 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 29 PID 1456 wrote to memory of 3024 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 29 PID 1456 wrote to memory of 2840 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 31 PID 1456 wrote to memory of 2840 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 31 PID 1456 wrote to memory of 2840 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 31 PID 1456 wrote to memory of 2840 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 31 PID 1456 wrote to memory of 2932 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 33 PID 1456 wrote to memory of 2932 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 33 PID 1456 wrote to memory of 2932 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 33 PID 1456 wrote to memory of 2932 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 33 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 PID 1456 wrote to memory of 2648 1456 ff7e78da9c8e580229fe95dfdfe5b098.exe 35 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff7e78da9c8e580229fe95dfdfe5b098.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 ff7e78da9c8e580229fe95dfdfe5b098.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ff7e78da9c8e580229fe95dfdfe5b098.exe"C:\Users\Admin\AppData\Local\Temp\ff7e78da9c8e580229fe95dfdfe5b098.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ff7e78da9c8e580229fe95dfdfe5b098.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GJgncWe.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GJgncWe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7272.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2932
-
-
C:\Users\Admin\AppData\Local\Temp\ff7e78da9c8e580229fe95dfdfe5b098.exe"C:\Users\Admin\AppData\Local\Temp\ff7e78da9c8e580229fe95dfdfe5b098.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2648
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD500851c43892a962d102a14084e154c52
SHA19ef3c5a8d10c8fe4975281fdadaa4d831299a06a
SHA2562d0354aa14c433188ba1bc7db6c158b7e53dcd100e9a933dabb2432f36664b23
SHA512381b558e2ad647bc81a107198cc512e3fff958e4cb0c01ced3628fe8d7f29fbab5cdc288fef99b969f5a78ed18f7b4e6e3da66f460b97d33356bbb9291f6363f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5dd364ad9c5b9879d2cbf5baf32a90452
SHA149c1625804c8209528011ad44e68b5fe799da8b4
SHA2564001890e8f7f3a97eea619a1c9531d9560a6a5608ac361de4361df1ad0f4974c
SHA512468f570736067cb63434aa4da94246f49c055c5c1770c9f3651c3464e458c18ec0d07277ca586cca4739be0fc1509e8192bbe9eea09136456eb17a91592dfbc8