Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
Shipment 990847575203.pdf.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Shipment 990847575203.pdf.exe
Resource
win10v2004-20241007-en
General
-
Target
Shipment 990847575203.pdf.exe
-
Size
808KB
-
MD5
8626a0c350243b5390abf5dee2a40641
-
SHA1
8337486fbbece35e03456500b23c5044466419c7
-
SHA256
d16a272916c70064157e0cef6770ff47ed874369e4db36ae0a569dd85357efca
-
SHA512
5b91943db6e0b79fb6f776e4eb1337a54295688c09168ead60eae238b2be51cdb64ce3518643624d569163e4fee8a8e9cd374e0eddd59e13c13f523eafec793d
-
SSDEEP
12288:jIC25usx+XtVUW1r4s7yy8FqY4uszmSpx0DzibplrdV26XyGnP/Ge/A:gx82VPFqY4usn0DzIVNXygPea
Malware Config
Extracted
Protocol: ftp- Host:
kashmirestore.com - Port:
21 - Username:
[email protected] - Password:
c%P+6,(]YFvP
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2464 powershell.exe 2872 powershell.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3008 set thread context of 2716 3008 Shipment 990847575203.pdf.exe 40 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Shipment 990847575203.pdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2884 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2872 powershell.exe 3008 Shipment 990847575203.pdf.exe 3008 Shipment 990847575203.pdf.exe 2464 powershell.exe 3008 Shipment 990847575203.pdf.exe 3008 Shipment 990847575203.pdf.exe 3008 Shipment 990847575203.pdf.exe 3008 Shipment 990847575203.pdf.exe 2716 MSBuild.exe 2716 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2872 powershell.exe Token: SeDebugPrivilege 2464 powershell.exe Token: SeDebugPrivilege 3008 Shipment 990847575203.pdf.exe Token: SeDebugPrivilege 2716 MSBuild.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 3008 wrote to memory of 2464 3008 Shipment 990847575203.pdf.exe 31 PID 3008 wrote to memory of 2464 3008 Shipment 990847575203.pdf.exe 31 PID 3008 wrote to memory of 2464 3008 Shipment 990847575203.pdf.exe 31 PID 3008 wrote to memory of 2464 3008 Shipment 990847575203.pdf.exe 31 PID 3008 wrote to memory of 2872 3008 Shipment 990847575203.pdf.exe 33 PID 3008 wrote to memory of 2872 3008 Shipment 990847575203.pdf.exe 33 PID 3008 wrote to memory of 2872 3008 Shipment 990847575203.pdf.exe 33 PID 3008 wrote to memory of 2872 3008 Shipment 990847575203.pdf.exe 33 PID 3008 wrote to memory of 2884 3008 Shipment 990847575203.pdf.exe 34 PID 3008 wrote to memory of 2884 3008 Shipment 990847575203.pdf.exe 34 PID 3008 wrote to memory of 2884 3008 Shipment 990847575203.pdf.exe 34 PID 3008 wrote to memory of 2884 3008 Shipment 990847575203.pdf.exe 34 PID 3008 wrote to memory of 2920 3008 Shipment 990847575203.pdf.exe 37 PID 3008 wrote to memory of 2920 3008 Shipment 990847575203.pdf.exe 37 PID 3008 wrote to memory of 2920 3008 Shipment 990847575203.pdf.exe 37 PID 3008 wrote to memory of 2920 3008 Shipment 990847575203.pdf.exe 37 PID 3008 wrote to memory of 2892 3008 Shipment 990847575203.pdf.exe 38 PID 3008 wrote to memory of 2892 3008 Shipment 990847575203.pdf.exe 38 PID 3008 wrote to memory of 2892 3008 Shipment 990847575203.pdf.exe 38 PID 3008 wrote to memory of 2892 3008 Shipment 990847575203.pdf.exe 38 PID 3008 wrote to memory of 2708 3008 Shipment 990847575203.pdf.exe 39 PID 3008 wrote to memory of 2708 3008 Shipment 990847575203.pdf.exe 39 PID 3008 wrote to memory of 2708 3008 Shipment 990847575203.pdf.exe 39 PID 3008 wrote to memory of 2708 3008 Shipment 990847575203.pdf.exe 39 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 PID 3008 wrote to memory of 2716 3008 Shipment 990847575203.pdf.exe 40 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipment 990847575203.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Shipment 990847575203.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipment 990847575203.pdf.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2464
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\FZcXKpA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2872
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FZcXKpA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4DA.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2884
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2920
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵PID:2708
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50920b69e6b49dba74c963c21e41c4533
SHA17ae62b67f9f68c0d3730e06a54fbee156a36d9c6
SHA256f46f2da4748ca18bc4297abdc122e89bc0e9fbdc82473c9e68d7931eb647fb8b
SHA51223f2edcbec3a65dee8881ec63df35c601fc8ab119b476ba501b9678dff1a8875874010a47972ac3e6b0c34e1b26ade154ac943a7885227efe2678198362ad911
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD552fa25903c2a4e9d6d252a36500f339c
SHA1be49b228baf45089cb8ddc6d33f9917a678c3b9b
SHA256d7f8f39a01a277a6c31a65cfceb81fa8d9918e9641266449802761258d30ba65
SHA512120d7f2795fc36d05eee38d5aa77d209e03c036f300df876123d121a60af998b60bdc8645bf578fb32cd2f1b20b64fa0edac21c7879fd517da6f00c4e11c3eea