Overview

overview

10

Static

static

3

c7a9a258eb...33.exe

windows7-x64

10

c7a9a258eb...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    116s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    23-01-2025 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe

  • Size

    836KB

  • MD5

    c2fed4eb83e71081a2d50875a519cdd8

  • SHA1

    7dd2cc60334b0eabe6dea6576c0456b6aac05b0a

  • SHA256

    c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33

  • SHA512

    75482be16caf260dae875d43428cd0f465f85e31def79afcbd69402017122c0d9a69d5f0fe8a0d33b4278aef6c0869d5545581413acb405fd7db40cdfc21683f

  • SSDEEP

    12288:L3LWvY7t2ikRpkGjKm2hy8Vr4yGM1aUIQVo+H6PpH60iXCHX7i8HjffOXDxjr/o0:Ow7tsRpRjKmZUIko8bANHQxw

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8161253841:AAGRHYxgiSkOebv0FuCGL9evrRdWU0PY_rw/sendMessage?chat_id=6851554211

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe
    "C:\Users\Admin\AppData\Local\Temp\c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YEjNzKzBGpIz.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2792
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YEjNzKzBGpIz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2888
    • C:\Users\Admin\AppData\Local\Temp\c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe
      C:\Users\Admin\AppData\Local\Temp\c7a9a258ebcce8d059be3d43911b8150cba636c9111224f29924460ffaf0bf33.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1A06.tmp
    Filesize

    1KB

    MD5

    dc83c45bccd4a16b246ad402eb75be69

    SHA1

    0cb70d6dceaa358ed32597986cf6279171cd3a20

    SHA256

    e2b7672a0907c2542a5580912d7e6a73ecde4d5645e25d3afd208bd5cb9113ce

    SHA512

    40ce32737e67f567d052d7026c9a0f6ee988b01fd083149e706223bfa646ad61bf1cd76e3c7f5f9a11eb1317f357b35b255bde0d80fd5cb464ac9e80c00d7620

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    2a59d50d4ee1b6fc44bdfa71cafca3b8

    SHA1

    2e3d91dbd1cb9d9e1a51d51dabbe99a153601c29

    SHA256

    61bd4d820544e93c952e2ef4e292fef04004fd7ba65476526cbe0b5272760373

    SHA512

    c792d7f1e458d5c5662ffd712fe57505c9631d5239f784dfef5202d1a0459e85fab010ef8628d299797a55f2e71c453c015eaee83360766c20c9bc106ad83a2e

    Download Submit

  • memory/2576-4-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-1-0x000000013F960000-0x000000013FA34000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2576-0-0x000007FEF6323000-0x000007FEF6324000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2576-5-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2576-6-0x00000000006B0000-0x00000000006C4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2576-7-0x000000001C0A0000-0x000000001C12E000-memory.dmp

    Filesize

    568KB

    Download

  • memory/2576-2-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2576-33-0x000007FEF6320000-0x000007FEF6D0C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2576-3-0x00000000022C0000-0x00000000022E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2652-24-0x0000000140000000-0x000000014004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2652-28-0x0000000140000000-0x000000014004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2652-26-0x0000000140000000-0x000000014004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2652-31-0x0000000140000000-0x000000014004A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2652-30-0x000007FFFFFD6000-0x000007FFFFFD7000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2836-22-0x0000000001E80000-0x0000000001E88000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2836-16-0x000000001B740000-0x000000001BA22000-memory.dmp

    Filesize

    2.9MB

    Download