Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
106s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/01/2025, 14:09
Behavioral task
behavioral1
Sample
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
Resource
win10v2004-20241007-en
General
-
Target
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe
-
Size
634KB
-
MD5
80a64f0b8df55d637e135f0eb4fb6b70
-
SHA1
f491fc184d0f15d789e81577e47446478c10ed53
-
SHA256
3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
-
SHA512
f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432
-
SSDEEP
12288:ZOv5jKhsfoPA+yeVKUCUxP4C902bdRtJJPiaqooGCQemOT6I0FGk9x:Zq5TfcdHj4fmbGG53OF0Nx
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\demonetised.vbs demonetised.exe -
Executes dropped EXE 1 IoCs
pid Process 3724 demonetised.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 14 checkip.dyndns.org 16 reallyfreegeoip.org 17 reallyfreegeoip.org -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1264-13-0x0000000000640000-0x00000000007AF000-memory.dmp autoit_exe behavioral2/memory/3724-33-0x00000000004D0000-0x000000000063F000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3724 set thread context of 1500 3724 demonetised.exe 84 -
resource yara_rule behavioral2/memory/1264-0-0x0000000000640000-0x00000000007AF000-memory.dmp upx behavioral2/files/0x0007000000023c9c-10.dat upx behavioral2/memory/3724-14-0x00000000004D0000-0x000000000063F000-memory.dmp upx behavioral2/memory/1264-13-0x0000000000640000-0x00000000007AF000-memory.dmp upx behavioral2/memory/3724-33-0x00000000004D0000-0x000000000063F000-memory.dmp upx -
Program crash 1 IoCs
pid pid_target Process procid_target 2276 3724 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language demonetised.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1500 svchost.exe 1500 svchost.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3724 demonetised.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1500 svchost.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 3724 demonetised.exe 3724 demonetised.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 3724 demonetised.exe 3724 demonetised.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 1264 wrote to memory of 3724 1264 3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe 83 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 PID 3724 wrote to memory of 1500 3724 demonetised.exe 84 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\inhumate\demonetised.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\SysWOW64\svchost.exe"C:\Users\Admin\AppData\Local\Temp\3fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8.exe"3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1500
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 7323⤵
- Program crash
PID:2276
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3724 -ip 37241⤵PID:4760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
634KB
MD580a64f0b8df55d637e135f0eb4fb6b70
SHA1f491fc184d0f15d789e81577e47446478c10ed53
SHA2563fc9afa49fa31f495a7792c38b6087609438625ec5073383483d7d1411c7cec8
SHA512f2604fc98d1ed6959b4a42ef442cac15919ebb1b26f7516fa0ca782c639d035c7f5c0f599511e87246338a959be4e5104ff98e3df4bb7ab78b50389784e83432