Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2024 09:10
Static task
static1
Behavioral task
behavioral1
Sample
Payment.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Payment.exe
Resource
win10v2004-20241007-en
General
-
Target
Payment.exe
-
Size
940KB
-
MD5
ad45a46cc2809a1244ba4a05b2411096
-
SHA1
873324976c33ea8870e5fd68a5913a924b2932ae
-
SHA256
1ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b
-
SHA512
e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26
-
SSDEEP
24576:fu6J33O0c+JY5UZ+XC0kGso6FaCSS4R1WY:pu0c++OCvkGs9FaCSSTY
Malware Config
Extracted
asyncrat
0.5.8
Default
69.174.100.131:6606
abkZfsCYRZhk
-
delay
10
-
install
false
-
install_file
order.exe
-
install_folder
%AppData%
Extracted
vipkeylogger
https://api.telegram.org/bot7721085569:AAH1tkciy-nKykIEUNjOAUsItTcvNCVmFLo/sendMessage?chat_id=6236275763
Signatures
-
Asyncrat family
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\phytographic.vbs phytographic.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hepatoduodenostomy.vbs hepatoduodenostomy.exe -
Executes dropped EXE 4 IoCs
pid Process 640 phytographic.exe 916 kyixnz.exe 2248 hepatoduodenostomy.exe 5016 zfrzbg.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 40 checkip.dyndns.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023bfa-10.dat autoit_exe behavioral2/files/0x0009000000023c54-56.dat autoit_exe -
pid Process 4284 powershell.exe 3332 powershell.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 640 set thread context of 1520 640 phytographic.exe 83 PID 2248 set thread context of 3364 2248 hepatoduodenostomy.exe 98 PID 5016 set thread context of 2168 5016 zfrzbg.exe 106 -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hepatoduodenostomy.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Payment.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zfrzbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language kyixnz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language phytographic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 4380 timeout.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 4284 powershell.exe 4284 powershell.exe 1520 RegSvcs.exe 3364 RegSvcs.exe 3364 RegSvcs.exe 3332 powershell.exe 3332 powershell.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 640 phytographic.exe 640 phytographic.exe 2248 hepatoduodenostomy.exe 5016 zfrzbg.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 1520 RegSvcs.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeDebugPrivilege 3364 RegSvcs.exe Token: SeDebugPrivilege 3332 powershell.exe Token: SeDebugPrivilege 2168 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 4616 Payment.exe 4616 Payment.exe 640 phytographic.exe 640 phytographic.exe 640 phytographic.exe 916 kyixnz.exe 916 kyixnz.exe 916 kyixnz.exe 2248 hepatoduodenostomy.exe 2248 hepatoduodenostomy.exe 2248 hepatoduodenostomy.exe 5016 zfrzbg.exe 5016 zfrzbg.exe 5016 zfrzbg.exe -
Suspicious use of SendNotifyMessage 14 IoCs
pid Process 4616 Payment.exe 4616 Payment.exe 640 phytographic.exe 640 phytographic.exe 640 phytographic.exe 916 kyixnz.exe 916 kyixnz.exe 916 kyixnz.exe 2248 hepatoduodenostomy.exe 2248 hepatoduodenostomy.exe 2248 hepatoduodenostomy.exe 5016 zfrzbg.exe 5016 zfrzbg.exe 5016 zfrzbg.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 4616 wrote to memory of 640 4616 Payment.exe 82 PID 4616 wrote to memory of 640 4616 Payment.exe 82 PID 4616 wrote to memory of 640 4616 Payment.exe 82 PID 640 wrote to memory of 1520 640 phytographic.exe 83 PID 640 wrote to memory of 1520 640 phytographic.exe 83 PID 640 wrote to memory of 1520 640 phytographic.exe 83 PID 640 wrote to memory of 1520 640 phytographic.exe 83 PID 1520 wrote to memory of 932 1520 RegSvcs.exe 93 PID 1520 wrote to memory of 932 1520 RegSvcs.exe 93 PID 1520 wrote to memory of 932 1520 RegSvcs.exe 93 PID 932 wrote to memory of 4284 932 cmd.exe 95 PID 932 wrote to memory of 4284 932 cmd.exe 95 PID 932 wrote to memory of 4284 932 cmd.exe 95 PID 4284 wrote to memory of 916 4284 powershell.exe 96 PID 4284 wrote to memory of 916 4284 powershell.exe 96 PID 4284 wrote to memory of 916 4284 powershell.exe 96 PID 916 wrote to memory of 2248 916 kyixnz.exe 97 PID 916 wrote to memory of 2248 916 kyixnz.exe 97 PID 916 wrote to memory of 2248 916 kyixnz.exe 97 PID 2248 wrote to memory of 3364 2248 hepatoduodenostomy.exe 98 PID 2248 wrote to memory of 3364 2248 hepatoduodenostomy.exe 98 PID 2248 wrote to memory of 3364 2248 hepatoduodenostomy.exe 98 PID 2248 wrote to memory of 3364 2248 hepatoduodenostomy.exe 98 PID 1520 wrote to memory of 2216 1520 RegSvcs.exe 99 PID 1520 wrote to memory of 2216 1520 RegSvcs.exe 99 PID 1520 wrote to memory of 2216 1520 RegSvcs.exe 99 PID 1520 wrote to memory of 2864 1520 RegSvcs.exe 101 PID 1520 wrote to memory of 2864 1520 RegSvcs.exe 101 PID 1520 wrote to memory of 2864 1520 RegSvcs.exe 101 PID 2216 wrote to memory of 3332 2216 cmd.exe 103 PID 2216 wrote to memory of 3332 2216 cmd.exe 103 PID 2216 wrote to memory of 3332 2216 cmd.exe 103 PID 2864 wrote to memory of 4380 2864 cmd.exe 104 PID 2864 wrote to memory of 4380 2864 cmd.exe 104 PID 2864 wrote to memory of 4380 2864 cmd.exe 104 PID 3332 wrote to memory of 5016 3332 powershell.exe 105 PID 3332 wrote to memory of 5016 3332 powershell.exe 105 PID 3332 wrote to memory of 5016 3332 powershell.exe 105 PID 5016 wrote to memory of 2168 5016 zfrzbg.exe 106 PID 5016 wrote to memory of 2168 5016 zfrzbg.exe 106 PID 5016 wrote to memory of 2168 5016 zfrzbg.exe 106 PID 5016 wrote to memory of 2168 5016 zfrzbg.exe 106 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Users\Admin\AppData\Local\ophiolatrous\phytographic.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Payment.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\roundup\hepatoduodenostomy.exe"C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"7⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\kyixnz.exe"8⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3364
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zfrzbg.exe"' & exit4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\zfrzbg.exe"'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Users\Admin\AppData\Local\Temp\zfrzbg.exe"C:\Users\Admin\AppData\Local\Temp\zfrzbg.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\zfrzbg.exe"7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3DA0.tmp.bat""4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4380
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57e4c8f431d84735d7a111a6a8f51c808
SHA172a8fcab830960bd3fea4dd723d2a4189ae23584
SHA256bdf5fe4eb54a39598f46038781425e07a60c695d8356c7f2361bb3f3b0c64170
SHA5122ef2d45d120d2677b2abbca5f2759b743464a74a547b3460e05cfeddc6a31c4ef1f90cc1b1d5aeb33dbc6935e6dce91328960d3e361908fe19c2906dbdc015a7
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD524109a6b1db318e1827dbf5c610b9ddc
SHA1588fa82c39a3c786a4a9714a61d2c97a2c1d7850
SHA2562060fb506c40eddc9527466b30ce37de35752496a0d3f8727c64fd4e25d5abf3
SHA512cfacad99f2ec43a0fe67d032f4abb2f59421c7ca0366e32302507a309f450519468d385b40dd37adef332a1f79ea3ecf373c58bb808eea103116870786548f93
-
Filesize
45KB
MD54ebe3ecfa13ab54ec69f2f8aaf00147a
SHA102fcf24b7d8f574ccc2fcfc1137c186d8e30da4c
SHA256fc968dcdac320c093d44d8d0f525e6c2c8aca24b4a963bba6b670d6a9b967e68
SHA512953ad63bfdcc4ddb5740d41acc190807a164ad26a664928a6920461bcaaf7049207d337adf93b61fc0e55f743d5d2b08a8b43d1b29531535bc1a86a6930486eb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
39KB
MD580285e6f5b3e501c9b58bdf7ca4744d6
SHA17a70a2f1957d7455cf917f7d968a279380fc8ad9
SHA256b8fbfa44b152cb808a734dcd6c37fc32bc93a303038d5ba2103bcf96a4799831
SHA512cb507bda241cd7dda4939d63a65329360e0f628e399407b2f66644cc314ab56e09453cb9f84e7589a9ed9ab48f563d071e54974f777a4a3102af2cc4ce398d37
-
Filesize
1.0MB
MD591dfac40de4fd2cc6c25c18821b1c32d
SHA1d7aecab54b47e33237f4c471818e575e249b6ed3
SHA2569e556bd58e397196b9056af3aa2477a11d5e67bfc0aaa8d42ab0f6b7d337559b
SHA512795af30d6ce51e878ba1f9488c0d5470e2fe97a6b91fc90e371390f7d24b70b69f86ffdf4a4fb45648fcae104b04c1426e4e9e65405b31e3966575e3d73a3f8e
-
Filesize
171B
MD57309f051b1fefc714dfcd505eebc09f5
SHA1e7fac8eb7738b57e784add85183eb2ad1ff3d84f
SHA2563c1f282ec632f75cca9ef2248011cb793db0fa8506bba601dab9fe42182be467
SHA5124a979afc806d122fea8e6b38799693a56e8eec12ff5827571d617e32bb8d05337b2f55a770eaf1ca41faefc68905ce9bd3b74d5b73ed8fb04dedd94a272a567f
-
Filesize
940KB
MD5ad45a46cc2809a1244ba4a05b2411096
SHA1873324976c33ea8870e5fd68a5913a924b2932ae
SHA2561ca25ad8f6c161c67a4b78ab8aca6f8795210dfe17555d5448302d5054af3f0b
SHA512e5eb407686c3fae6d2c26c20b789aa6427ef86d64acc19a611fb8a4b0d23112ed194bebbb1837610579498e9ec0bdfdc4871cd986d011b4e2279e6c819900e26