Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 15:36
Static task
static1
Behavioral task
behavioral1
Sample
ST07933.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ST07933.exe
Resource
win10v2004-20241007-en
General
-
Target
ST07933.exe
-
Size
820KB
-
MD5
d9c24eb3137fb3e1f939625d3076bb0f
-
SHA1
9d06b465b4e137dccc09aa583fd928bbcf2275aa
-
SHA256
02184b32f1b3e76b78acf7e889f3f581ef65696df1f64efb9bfe3b2d2ccabfd6
-
SHA512
f1d6e69a72deb762416c0954faa05196debc9b6b53ab9a38621dbeb0175dd907ce4758b0aea6f78501b5b9a6c8307c50a10fe7c6e4af72415c9a573d08baf057
-
SSDEEP
24576:wTkQIwLXEADfmo/SbKdsyjlR4MsfZV+ER/r:qvTDf6bKdsalRpsfZV+q/r
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
JA-*2020antonio - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 35 5104 msiexec.exe 37 5104 msiexec.exe 39 5104 msiexec.exe 41 5104 msiexec.exe 43 5104 msiexec.exe 48 5104 msiexec.exe 50 5104 msiexec.exe 54 5104 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 35 drive.google.com 34 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 47 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\telectrograph\assimilationer.Qua ST07933.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 5104 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 536 powershell.exe 5104 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\intercepter.mos ST07933.exe -
pid Process 536 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ST07933.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 536 powershell.exe 5104 msiexec.exe 5104 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 536 powershell.exe Token: SeIncreaseQuotaPrivilege 536 powershell.exe Token: SeSecurityPrivilege 536 powershell.exe Token: SeTakeOwnershipPrivilege 536 powershell.exe Token: SeLoadDriverPrivilege 536 powershell.exe Token: SeSystemProfilePrivilege 536 powershell.exe Token: SeSystemtimePrivilege 536 powershell.exe Token: SeProfSingleProcessPrivilege 536 powershell.exe Token: SeIncBasePriorityPrivilege 536 powershell.exe Token: SeCreatePagefilePrivilege 536 powershell.exe Token: SeBackupPrivilege 536 powershell.exe Token: SeRestorePrivilege 536 powershell.exe Token: SeShutdownPrivilege 536 powershell.exe Token: SeDebugPrivilege 536 powershell.exe Token: SeSystemEnvironmentPrivilege 536 powershell.exe Token: SeRemoteShutdownPrivilege 536 powershell.exe Token: SeUndockPrivilege 536 powershell.exe Token: SeManageVolumePrivilege 536 powershell.exe Token: 33 536 powershell.exe Token: 34 536 powershell.exe Token: 35 536 powershell.exe Token: 36 536 powershell.exe Token: SeDebugPrivilege 5104 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3220 wrote to memory of 536 3220 ST07933.exe 86 PID 3220 wrote to memory of 536 3220 ST07933.exe 86 PID 3220 wrote to memory of 536 3220 ST07933.exe 86 PID 536 wrote to memory of 5104 536 powershell.exe 93 PID 536 wrote to memory of 5104 536 powershell.exe 93 PID 536 wrote to memory of 5104 536 powershell.exe 93 PID 536 wrote to memory of 5104 536 powershell.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ST07933.exe"C:\Users\Admin\AppData\Local\Temp\ST07933.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Dudleyite119=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\depersonaliseredes\Faldgruberne\Proterandrous.Dis';$Interlaminating=$Dudleyite119.SubString(7465,3);.$Interlaminating($Dudleyite119)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5104
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
71KB
MD592abdd2b532425d14efa291e5d5780b3
SHA1489bac8d9c5f423a1f92f7ad618b5c2b288fdd69
SHA25686aecbcc718243267fef6fa993e76cc33e49b708e68353b982cc4af30ce7876b
SHA512b8b6b3a16eb40cb6a778e7e77c289aebdb685c170d173ddf59034a6546b7dbc6e4216ff92ee36f2eeb84ab6f3becd838732689f9ce54db94858fb754a4276e61
-
Filesize
293KB
MD597558276c365fbe801720b97d8f39edb
SHA1bc27ec1aaf395a74aa8d7fb85a8e52f86b23c7fd
SHA2567af8da81126c1341ca58e7010715cc4bc8b18ff206a3b3d4a4a5f8a72fa9e899
SHA5127ac1d867e0fe4b25781ea8c70c162a042684c27e6a50e3a3dabfa02513109109211bc3f78854d9604ccd661c32549519e6950f1982b4951ef51dc363f8e49e43