Analysis
-
max time kernel
76s -
max time network
78s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
16-01-2025 15:48
General
-
Target
rNEWPURCHASEORDER094637.exe
-
Size
1.2MB
-
MD5
0154fe9c5f4ad81beeedcf4fdb397ed4
-
SHA1
939c3757ae0f62cda2ef34935d34f3ac70bba776
-
SHA256
f8c3f6b1795091d7211dc5b0d508c9ffa115e6fbbab18b4ee9545b2124e211e5
-
SHA512
957e65880d3979dd952f6989d460071ab6dbfcb6aaa036a6249153db7ff35c72ef51056e63bd9721697f5f8b528f1876d2a7f67b0b36646778a16d0d6246c5e5
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCrUHNXxWZW6+xBAio0WjijTbwPGS:7JZoQrbTFZY1iaCrSxXzPWjijT0OS
Malware Config
Extracted
vipkeylogger
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 11 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 21 IoCs
-
Suspicious use of SendNotifyMessage 20 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\rNEWPURCHASEORDER094637.exe"C:\Users\Admin\AppData\Local\Temp\rNEWPURCHASEORDER094637.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\rNEWPURCHASEORDER094637.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e5628b8-842c-45fd-80cc-9da389028aa9} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" gpu3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2364 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3b1d794-63f0-468b-a47e-deef482f5fcf} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" socket3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3044 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3172 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {923c1186-1f48-4a72-b495-98aa6137b798} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4076 -childID 2 -isForBrowser -prefsHandle 4008 -prefMapHandle 1056 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1d740fc2-a0a4-40bf-a2cd-1cfb7586480f} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4820 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4828 -prefMapHandle 4776 -prefsLen 29225 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07f1af0f-1e4f-4b64-9b4d-b8754ae021a4} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" utility3⤵
- Checks processor information in registry
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5220 -childID 3 -isForBrowser -prefsHandle 5248 -prefMapHandle 5244 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5739ee6-1fff-4c18-b0bf-78f20fbe04f9} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5412 -childID 4 -isForBrowser -prefsHandle 5424 -prefMapHandle 5368 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f7ab79d-c073-426c-8fb1-cac63cadcaff} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 5 -isForBrowser -prefsHandle 5580 -prefMapHandle 5584 -prefsLen 27079 -prefMapSize 244658 -jsInitHandle 908 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42827dba-6674-46d5-b8ec-0535d48e9042} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" tab3⤵
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\passwords.txt1⤵
- Opens file in notepad (likely ransom note)
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5565e77a23eca39a4ef7556899e923494
SHA19a874b3951cff5e7f66485ec1174d91206d04182
SHA25618408d173c7a84c767fcccd37bb8e9503249153cb250ba7726ff23d27cedb2ac
SHA5127e7690358e02df620f1558292b5cd911e0f427f16da024830b4a9277849608389691d8099a528de08af86f3177b55df454ad387c212f5ccac2ae8430b154710c
-
Filesize
671B
MD5e18b1295095a083eb33270ec868e0113
SHA13ccd17ff874de242cf2abad537ab0bec8f60fd58
SHA256a99ae7552967001714779c9331f417c3f46903f2de9c6551656259c124bbc57c
SHA512f8b0d18d90537ca750bdddbe7a43d32073f31396fbb9e8f65c51ece18958228f5ff021853cfb50b9bd9acd3b89fddc7cf3cf97c5b840345abe71419fdd75929b
-
Filesize
26KB
MD599c88656ccd67cf320ecf203c6ea6e5f
SHA1e9a704627410d7fd05b00411b72c43083eead461
SHA2569d2c38812c0c84902b6309ab9a572c6c874026faf38693cfc2516391605632b2
SHA512c90474cf58436ebfc94ec1f2df8720123dff6edf4391f06b14a60f106718ea3e2b47645cc7cdb712610b975db78788158a1cd8a6d8369b14fc11657fc045b8f8
-
Filesize
982B
MD5a1e6ceb5c0c27b14316f15a5d923e531
SHA1ddf12a4051e72a685ac8e609dd97a145c723773c
SHA256cd91dcd2e0443fdc3e071d0213c9918c163956bd179f1fb04b970b86236d51f1
SHA51254e6c9e9f2411edfa2b4f5a477ce1f11b409e2de4dc5dd73f9c4512b66eb09d28fe658270e9cd38ed464dddf0e2e8fded9999c7e3634ed9c57128662a6ca8287
-
Filesize
10KB
MD5f12db98b8c0934a35784f3e928f53146
SHA1f6a14f8e67b263ebea0fc1fe03260a4b96f0643e
SHA25624480837c5e73fce92586418e006a542bd590cb6123e63c1925bdbcdd991edc1
SHA512f3d7b81140abe77d633348d9affbfd66f2d241aa4dfc9b2b97e1c03fb33e622ea3009973b28a34caf673a3e1bfb3d0d56b5fa6606396f5c3552eccefc0a3846a
-
Filesize
10KB
MD55e255445260d992f48ff7dca04af60fc
SHA1fe61387079a94dc197fdc656010fe03a00073ae5
SHA25647b6abc52233e2cbea7afc8e4c89569af3af801fb5ea8c019711c3da558f3194
SHA5126acbdb9b40fdc1e8ee4d388a9e5172d8b7802f2dfa7b85114ac9b3e508784d17d65a7eed69c1ea562ec5d4b555e3bef55e6f7b10353f541f6ab1beccd8965800
-
Filesize
37B
MD543a4dc5742cbbdf5e3e66df6d853da39
SHA1a29024b5a6f7e1cc8fc8879157178839e3f45947
SHA256f35932e0cd6672d6e2a52e345ca421504e6dc59261299c0dfc5560081422278a
SHA5128855e03d8bf06d2207cfb68c96b3dd73922b3ecba19d8d2ce5406d30555c98de59c7413fc643b421ed1c14833472752abe3dd3e440805dc1288102752ccddeca
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
7.7MB
-
Filesize
368KB
-
Filesize
7.7MB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
260KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
7.7MB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
376KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
5.2MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
4.0MB