Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
111s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
29/01/2025, 15:48
Static task
static1
Behavioral task
behavioral1
Sample
Vessel particulars.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Vessel particulars.exe
Resource
win10v2004-20250129-en
General
-
Target
Vessel particulars.exe
-
Size
1.1MB
-
MD5
909a37e97faff915cd4906fe7684ec63
-
SHA1
5ae37a8ae70e36e9cf4f9e8895045f77eca11c51
-
SHA256
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
-
SHA512
58bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXFmIaQtS2rEDjuKsV5U5j5:2h+ZkldoPK1XaQtvEDqTV5UL
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI/sendMessage?chat_id=2135869667
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs savagenesses.exe -
Executes dropped EXE 2 IoCs
pid Process 4680 savagenesses.exe 1600 savagenesses.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 reallyfreegeoip.org 17 reallyfreegeoip.org 13 checkip.dyndns.org -
AutoIT Executable 5 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x000f000000023b51-16.dat autoit_exe behavioral2/memory/4680-33-0x0000000000F30000-0x000000000104C000-memory.dmp autoit_exe behavioral2/memory/4680-36-0x0000000000F30000-0x000000000104C000-memory.dmp autoit_exe behavioral2/memory/1600-52-0x0000000000F30000-0x000000000104C000-memory.dmp autoit_exe behavioral2/memory/1600-56-0x0000000000F30000-0x000000000104C000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1600 set thread context of 4380 1600 savagenesses.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Vessel particulars.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language savagenesses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language savagenesses.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 4380 RegSvcs.exe 4380 RegSvcs.exe 4380 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 4680 savagenesses.exe 1600 savagenesses.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4380 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 4052 Vessel particulars.exe 4052 Vessel particulars.exe 4680 savagenesses.exe 4680 savagenesses.exe 1600 savagenesses.exe 1600 savagenesses.exe -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 4052 Vessel particulars.exe 4052 Vessel particulars.exe 4680 savagenesses.exe 4680 savagenesses.exe 1600 savagenesses.exe 1600 savagenesses.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 4052 wrote to memory of 4680 4052 Vessel particulars.exe 84 PID 4052 wrote to memory of 4680 4052 Vessel particulars.exe 84 PID 4052 wrote to memory of 4680 4052 Vessel particulars.exe 84 PID 4680 wrote to memory of 3640 4680 savagenesses.exe 85 PID 4680 wrote to memory of 3640 4680 savagenesses.exe 85 PID 4680 wrote to memory of 3640 4680 savagenesses.exe 85 PID 4680 wrote to memory of 1600 4680 savagenesses.exe 86 PID 4680 wrote to memory of 1600 4680 savagenesses.exe 86 PID 4680 wrote to memory of 1600 4680 savagenesses.exe 86 PID 1600 wrote to memory of 4380 1600 savagenesses.exe 87 PID 1600 wrote to memory of 4380 1600 savagenesses.exe 87 PID 1600 wrote to memory of 4380 1600 savagenesses.exe 87 PID 1600 wrote to memory of 4380 1600 savagenesses.exe 87 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Vessel particulars.exe"C:\Users\Admin\AppData\Local\Temp\Vessel particulars.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"C:\Users\Admin\AppData\Local\Temp\Vessel particulars.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Vessel particulars.exe"3⤵PID:3640
-
-
C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"4⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4380
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD5efa36559459d8a95d5d29596030bb9cb
SHA1dd4292faa0dc9430ab8a56ebaa29e3de2169e20d
SHA256cf2cd6d65a7e9be25f5fcdbbb17d69142fe1af0295a9b43328db77e91a94067c
SHA512cef22a7688400302f337d27f27697da7c7f4bbac78b7c7c0b302b69fe9113399b12a8f0fb94639209442c530a5e24fba5c939af4f5ac1e0c7c0a91a355c47ec0
-
Filesize
11KB
MD502cb391fa991f4a7c4288b2636b3f432
SHA192c161c146b6d8b5f08976aefbb1b88ae2937ddb
SHA25632960f8fc3a5cda77afd30fe66dedd132446acd360fc42b16c3f3cbd541d43a8
SHA512818f4c28fe7d12531ea19c7df4b46ea1d1296ac6d7d922bcababc456bd295089a6e4977487dbe801ce205aab017d7c2e1b318392e9aa9bf5d912a6d0db767718
-
Filesize
58KB
MD52533f891e58ed20a758e7d7694e14cce
SHA189058b25ad725522939f4d1a66cd53d706ae124b
SHA256bd1f6f108b7d53e1274736692946d1fa28e51cafa3320912edced0258ec90f6c
SHA512f35ced1276857655c358f6e7f5600cd2f9c89c20d9ac6ab3b0c4bed45c816c730ecee0f0012268c846faf7236e3e245327c7f2405cff69f8660a812a2b940747
-
Filesize
1.1MB
MD5909a37e97faff915cd4906fe7684ec63
SHA15ae37a8ae70e36e9cf4f9e8895045f77eca11c51
SHA256a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
SHA51258bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d