Analysis
-
max time kernel
118s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-20241007-en
General
-
Target
Payment.exe
-
Size
940KB
-
MD5
ad45a46cc2809a1244ba4a05b2411096
-
SHA1
873324976c33ea8870e5fd68a5913a924b2932ae
-
SHA256
1ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b
-
SHA512
e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26
-
SSDEEP
24576:fu6J33O0c+JY5UZ+XC0kGso6FaCSS4R1WY:pu0c++OCvkGs9FaCSSTY
Malware Config
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Signatures
-
Asyncrat family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phytographic.vbs phytographic.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatoduodenostomy.vbs hepatoduodenostomy.exe -
Executes dropped EXE 4 IoCs
pid Process 3032 phytographic.exe 1848 vmubku.exe 896 hepatoduodenostomy.exe 1792 scpvgi.exe -
Loads dropped DLL 4 IoCs
pid Process 2384 Payment.exe 2116 powershell.exe 1848 vmubku.exe 2188 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 checkip.dyndns.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0009000000015d70-12.dat autoit_exe behavioral1/files/0x000a000000004ed7-90.dat autoit_exe -
pid Process 2116 powershell.exe 2188 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 3032 set thread context of 2112 3032 phytographic.exe 31 PID 896 set thread context of 2464 896 hepatoduodenostomy.exe 39 PID 1792 set thread context of 2324 1792 scpvgi.exe 47 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language scpvgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phytographic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hepatoduodenostomy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vmubku.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1264 timeout.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 2116 powershell.exe 2116 powershell.exe 2116 powershell.exe 2112 RegSvcs.exe 2464 RegSvcs.exe 2188 powershell.exe 2188 powershell.exe 2188 powershell.exe 2464 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3032 phytographic.exe 896 hepatoduodenostomy.exe 1792 scpvgi.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2112 RegSvcs.exe Token: SeDebugPrivilege 2116 powershell.exe Token: SeDebugPrivilege 2464 RegSvcs.exe Token: SeDebugPrivilege 2188 powershell.exe Token: SeDebugPrivilege 2324 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
pid Process 2384 Payment.exe 2384 Payment.exe 3032 phytographic.exe 3032 phytographic.exe 1848 vmubku.exe 1848 vmubku.exe 896 hepatoduodenostomy.exe 896 hepatoduodenostomy.exe 1792 scpvgi.exe 1792 scpvgi.exe -
Suspicious use of SendNotifyMessage 10 IoCs
pid Process 2384 Payment.exe 2384 Payment.exe 3032 phytographic.exe 3032 phytographic.exe 1848 vmubku.exe 1848 vmubku.exe 896 hepatoduodenostomy.exe 896 hepatoduodenostomy.exe 1792 scpvgi.exe 1792 scpvgi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 3032 2384 Payment.exe 30 PID 2384 wrote to memory of 3032 2384 Payment.exe 30 PID 2384 wrote to memory of 3032 2384 Payment.exe 30 PID 2384 wrote to memory of 3032 2384 Payment.exe 30 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 3032 wrote to memory of 2112 3032 phytographic.exe 31 PID 2112 wrote to memory of 1972 2112 RegSvcs.exe 34 PID 2112 wrote to memory of 1972 2112 RegSvcs.exe 34 PID 2112 wrote to memory of 1972 2112 RegSvcs.exe 34 PID 2112 wrote to memory of 1972 2112 RegSvcs.exe 34 PID 1972 wrote to memory of 2116 1972 cmd.exe 36 PID 1972 wrote to memory of 2116 1972 cmd.exe 36 PID 1972 wrote to memory of 2116 1972 cmd.exe 36 PID 1972 wrote to memory of 2116 1972 cmd.exe 36 PID 2116 wrote to memory of 1848 2116 powershell.exe 37 PID 2116 wrote to memory of 1848 2116 powershell.exe 37 PID 2116 wrote to memory of 1848 2116 powershell.exe 37 PID 2116 wrote to memory of 1848 2116 powershell.exe 37 PID 1848 wrote to memory of 896 1848 vmubku.exe 38 PID 1848 wrote to memory of 896 1848 vmubku.exe 38 PID 1848 wrote to memory of 896 1848 vmubku.exe 38 PID 1848 wrote to memory of 896 1848 vmubku.exe 38 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 896 wrote to memory of 2464 896 hepatoduodenostomy.exe 39 PID 2112 wrote to memory of 1360 2112 RegSvcs.exe 40 PID 2112 wrote to memory of 1360 2112 RegSvcs.exe 40 PID 2112 wrote to memory of 1360 2112 RegSvcs.exe 40 PID 2112 wrote to memory of 1360 2112 RegSvcs.exe 40 PID 2112 wrote to memory of 1720 2112 RegSvcs.exe 42 PID 2112 wrote to memory of 1720 2112 RegSvcs.exe 42 PID 2112 wrote to memory of 1720 2112 RegSvcs.exe 42 PID 2112 wrote to memory of 1720 2112 RegSvcs.exe 42 PID 1360 wrote to memory of 2188 1360 cmd.exe 43 PID 1360 wrote to memory of 2188 1360 cmd.exe 43 PID 1360 wrote to memory of 2188 1360 cmd.exe 43 PID 1360 wrote to memory of 2188 1360 cmd.exe 43 PID 1720 wrote to memory of 1264 1720 cmd.exe 45 PID 1720 wrote to memory of 1264 1720 cmd.exe 45 PID 1720 wrote to memory of 1264 1720 cmd.exe 45 PID 1720 wrote to memory of 1264 1720 cmd.exe 45 PID 2188 wrote to memory of 1792 2188 powershell.exe 46 PID 2188 wrote to memory of 1792 2188 powershell.exe 46 PID 2188 wrote to memory of 1792 2188 powershell.exe 46 PID 2188 wrote to memory of 1792 2188 powershell.exe 46 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 PID 1792 wrote to memory of 2324 1792 scpvgi.exe 47 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\AppData\Local\ophiolatrous\phytographic.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"'5⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Local\Temp\vmubku.exe"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Users\Admin\AppData\Local\roundup\hepatoduodenostomy.exe"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\vmubku.exe"8⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2464
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"'5⤵
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\scpvgi.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2324
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp67A9.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:1264
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55ebbaafc8b0a75286372412c9d2614f6
SHA13102be2cf3768e969a746edfb369ddaa3bacf3b4
SHA2567ee859c6ec72508a4c9be52da9a55196bffa1407358efec09e73a92c0af291af
SHA51295dd217d84620c6361333f66feae377f095dfb790e0e0c39046711f0cfa9eb5f052650e965d018452eebef4a3bf5e5cf260cb80d89b8a300280f697897940445
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
45KB
MD54ebe3ecfa13ab54ec69f2f8aaf00147a
SHA102fcf24b7d8f574ccc2fcfc1137c186d8e30da4c
SHA256fc968dcdac320c093d44d8d0f525e6c2c8aca24b4a963bba6b670d6a9b967e68
SHA512953ad63bfdcc4ddb5740d41acc190807a164ad26a664928a6920461bcaaf7049207d337adf93b61fc0e55f743d5d2b08a8b43d1b29531535bc1a86a6930486eb
-
Filesize
39KB
MD580285e6f5b3e501c9b58bdf7ca4744d6
SHA17a70a2f1957d7455cf917f7d968a279380fc8ad9
SHA256b8fbfa44b152cb808a734dcd6c37fc32bc93a303038d5ba2103bcf96a4799831
SHA512cb507bda241cd7dda4939d63a65329360e0f628e399407b2f66644cc314ab56e09453cb9f84e7589a9ed9ab48f563d071e54974f777a4a3102af2cc4ce398d37
-
Filesize
171B
MD538084a264710cdf29e305885092f8c37
SHA1c7c49a9997ef98608473b4e01e8baee3c9f5cbfe
SHA2567fa7f74e664e5be842831844b67f9d8b02a7fd1c59cb9a800fc372d2b2863f42
SHA512ee33c93f2275daac61ce4026cbc21424479a659b01be022c43d5330a15782b44b6777e1a20fd288f20c16cff802649be6c5c10d8cfb41821e04af36db15626b2
-
Filesize
1.0MB
MD591dfac40de4fd2cc6c25c18821b1c32d
SHA1d7aecab54b47e33237f4c471818e575e249b6ed3
SHA2569e556bd58e397196b9056af3aa2477a11d5e67bfc0aaa8d42ab0f6b7d337559b
SHA512795af30d6ce51e878ba1f9488c0d5470e2fe97a6b91fc90e371390f7d24b70b69f86ffdf4a4fb45648fcae104b04c1426e4e9e65405b31e3966575e3d73a3f8e
-
Filesize
940KB
MD5ad45a46cc2809a1244ba4a05b2411096
SHA1873324976c33ea8870e5fd68a5913a924b2932ae
SHA2561ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b
SHA512e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD57b2088961a53eff460b43030160d55da
SHA1ca1f3a5f5e9328ab8f5d7e45f1baf798177cf1f7
SHA2564a588fd86e4bde018834ba0b35f31a4bcd2debf5de7d2b5fb28c15bd61f8e829
SHA512e1b21d075bd92d01b10152fd1bb3a22c784855c6caa4eb6ad8b90731da76b5805f9db0d906c1758d7052b01c3e94eaa7c40bd5c154166f209a81cc3ec66b5a64