Analysis
-
max time kernel
121s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 13:06
Static task
static1
Behavioral task
behavioral1
Sample
Hesap_Hareketleri_10122024_html.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Hesap_Hareketleri_10122024_html.exe
Resource
win10v2004-20241007-en
General
-
Target
Hesap_Hareketleri_10122024_html.exe
-
Size
846KB
-
MD5
18709f2606d2834d725a5677bdd4d737
-
SHA1
bbc16514aea1e283ba1863a5db34c71b0f574fc8
-
SHA256
50087b010b52ec07a7f52a85b56dc43041aae17b428e6b0af3d52d797d427682
-
SHA512
758d818dd3d252010e612ded4bf4846f053b1ad9c06d5139c7d65c35a9956ee7655c567c9efcfdb24122fe1dd55a324bf30277152da85e56be2f2e656e853b9e
-
SSDEEP
12288:nFMFoFvNLrJG2FYswEHLwSdNY8O7jbXdhb0mqqbNtYKy0QZURoSGb5hfBMG+wy9n:vFnJNY8KDzqCXW0g2edhf5+wFO
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.htcp.homes - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 780 powershell.exe 2836 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Hesap_Hareketleri_10122024_html.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Hesap_Hareketleri_10122024_html.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Hesap_Hareketleri_10122024_html.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2224 set thread context of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hesap_Hareketleri_10122024_html.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hesap_Hareketleri_10122024_html.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2224 Hesap_Hareketleri_10122024_html.exe 2224 Hesap_Hareketleri_10122024_html.exe 2224 Hesap_Hareketleri_10122024_html.exe 2224 Hesap_Hareketleri_10122024_html.exe 2836 powershell.exe 780 powershell.exe 2716 Hesap_Hareketleri_10122024_html.exe 2716 Hesap_Hareketleri_10122024_html.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2224 Hesap_Hareketleri_10122024_html.exe Token: SeDebugPrivilege 2836 powershell.exe Token: SeDebugPrivilege 780 powershell.exe Token: SeDebugPrivilege 2716 Hesap_Hareketleri_10122024_html.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2224 wrote to memory of 780 2224 Hesap_Hareketleri_10122024_html.exe 31 PID 2224 wrote to memory of 780 2224 Hesap_Hareketleri_10122024_html.exe 31 PID 2224 wrote to memory of 780 2224 Hesap_Hareketleri_10122024_html.exe 31 PID 2224 wrote to memory of 780 2224 Hesap_Hareketleri_10122024_html.exe 31 PID 2224 wrote to memory of 2836 2224 Hesap_Hareketleri_10122024_html.exe 33 PID 2224 wrote to memory of 2836 2224 Hesap_Hareketleri_10122024_html.exe 33 PID 2224 wrote to memory of 2836 2224 Hesap_Hareketleri_10122024_html.exe 33 PID 2224 wrote to memory of 2836 2224 Hesap_Hareketleri_10122024_html.exe 33 PID 2224 wrote to memory of 2944 2224 Hesap_Hareketleri_10122024_html.exe 35 PID 2224 wrote to memory of 2944 2224 Hesap_Hareketleri_10122024_html.exe 35 PID 2224 wrote to memory of 2944 2224 Hesap_Hareketleri_10122024_html.exe 35 PID 2224 wrote to memory of 2944 2224 Hesap_Hareketleri_10122024_html.exe 35 PID 2224 wrote to memory of 3020 2224 Hesap_Hareketleri_10122024_html.exe 37 PID 2224 wrote to memory of 3020 2224 Hesap_Hareketleri_10122024_html.exe 37 PID 2224 wrote to memory of 3020 2224 Hesap_Hareketleri_10122024_html.exe 37 PID 2224 wrote to memory of 3020 2224 Hesap_Hareketleri_10122024_html.exe 37 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 PID 2224 wrote to memory of 2716 2224 Hesap_Hareketleri_10122024_html.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Hesap_Hareketleri_10122024_html.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Hesap_Hareketleri_10122024_html.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:780
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UDYiGmDlq.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2836
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UDYiGmDlq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF798.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2944
-
-
C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"2⤵PID:3020
-
-
C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_10122024_html.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b9df42d1f4728614f4cae854def824ba
SHA1e226e834af27bee050bd1dffa78e0fbf386594da
SHA256e1b9e014bf11a4601e0c2eec4d1f143adcbc4c4d4113894068e971e4b6e7d69c
SHA5128fa70291e0193fcde7fcc826ac76ae215504141318fab4971ac6e3e922d2fe5b54f824599ffc089db8dd8a758fa631fcdcdef4920957947eede0df567d3022a7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DS0SGQWSGO1C4DRXH44S.temp
Filesize7KB
MD5b9bac7c66311d9b571f2cb64dbb3fdf7
SHA19ca4474daf2f5e6fc87b022921a28ee0db10615f
SHA256843548b2d350f79bef0ef1d2fc80beda8d67a2f4eb051a5d0070590a38012599
SHA5124b87672cf4def377fa390e3c760c311bccd41ee227de0c69e6170e79f2af6926799cde0b5bc13a9cf976297b1fcf06f9f32a558bb504d1b27630b6d936797f08