Analysis
-
max time kernel
148s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17-12-2024 12:21
Static task
static1
Behavioral task
behavioral1
Sample
a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe
Resource
win10v2004-20241007-en
General
-
Target
a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe
-
Size
903KB
-
MD5
c9007399358b2c71f94731c0dada3aae
-
SHA1
52961d38410067be7256356aa18ee52051bef614
-
SHA256
a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac
-
SHA512
67b9d38ccc08b2acdc09df19ebed66a945f6a6854e1e5f9b3f1a73eef4a466abbb13fa52519c732445d6418c388adec2b9ee827100ff2caedd0958f95061bb77
-
SSDEEP
12288:7Xcxx2t6G/sAgiXH5DybRcnygUUDJ3l0DbiLutNS3haM78EQMZxmfemFXHW65zu+:7X22t6whH1nXrLKvE3l8Et2F2YuriV
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
FungiCLM-Administracion24 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 23 4516 msiexec.exe 25 4516 msiexec.exe 27 4516 msiexec.exe 31 4516 msiexec.exe 33 4516 msiexec.exe 36 4516 msiexec.exe 38 4516 msiexec.exe 40 4516 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 22 drive.google.com 23 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 35 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4516 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 220 powershell.exe 4516 msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\huzzah.lnk a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe -
pid Process 220 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 220 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 220 powershell.exe 4516 msiexec.exe 4516 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 220 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 220 powershell.exe Token: SeIncreaseQuotaPrivilege 220 powershell.exe Token: SeSecurityPrivilege 220 powershell.exe Token: SeTakeOwnershipPrivilege 220 powershell.exe Token: SeLoadDriverPrivilege 220 powershell.exe Token: SeSystemProfilePrivilege 220 powershell.exe Token: SeSystemtimePrivilege 220 powershell.exe Token: SeProfSingleProcessPrivilege 220 powershell.exe Token: SeIncBasePriorityPrivilege 220 powershell.exe Token: SeCreatePagefilePrivilege 220 powershell.exe Token: SeBackupPrivilege 220 powershell.exe Token: SeRestorePrivilege 220 powershell.exe Token: SeShutdownPrivilege 220 powershell.exe Token: SeDebugPrivilege 220 powershell.exe Token: SeSystemEnvironmentPrivilege 220 powershell.exe Token: SeRemoteShutdownPrivilege 220 powershell.exe Token: SeUndockPrivilege 220 powershell.exe Token: SeManageVolumePrivilege 220 powershell.exe Token: 33 220 powershell.exe Token: 34 220 powershell.exe Token: 35 220 powershell.exe Token: 36 220 powershell.exe Token: SeDebugPrivilege 4516 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4844 wrote to memory of 220 4844 a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe 82 PID 4844 wrote to memory of 220 4844 a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe 82 PID 4844 wrote to memory of 220 4844 a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe 82 PID 220 wrote to memory of 4516 220 powershell.exe 91 PID 220 wrote to memory of 4516 220 powershell.exe 91 PID 220 wrote to memory of 4516 220 powershell.exe 91 PID 220 wrote to memory of 4516 220 powershell.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe"C:\Users\Admin\AppData\Local\Temp\a3f7477a9612f8ac90866fb2c4adc56a447f4a8262e4ac75bb1c825a254afbac.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle minimized "$redeemership=Get-Content -Raw 'C:\Users\Admin\AppData\Roaming\interpellant\stimulere\Chemosis\Torsionsaffjedring.Une';$Tiltalen=$redeemership.SubString(61260,3);.$Tiltalen($redeemership)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4516
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
316KB
MD5beacf496f095426c48cdcbfb02aff79c
SHA1d26adaa0e0e3026d14cab7e0d4b3529452b42493
SHA256a7a907803e2932e0ca0a961e6924436e07b95aeda2d4641a612f99aa215ed3a8
SHA512e7ec3b661a623831f6a7cd31c194ce25f0ed3bfc0bc2657a5f8a84c3c11ea0f31af64062ef28f92a3d390a2c5193ac26b38985843749cff2791ec811897d8d66
-
Filesize
71KB
MD5d779cf7d1c17d1c3a3f3a01045e21c66
SHA162bec72bb9ca8b42af58dcf6d1f697c28e970632
SHA256d3ea7137ab96f1b33a042d5a46da033d5448fa21d494a439bff1b99d36613f5d
SHA512386658888f01d8787b4f0953156ec2086ac1d7802991bc20d6f388ca133d02e2eb59522f8201d7d7cb11fc2b93d902a78a212f68465e08709aa415e22b9b3004