Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
30/01/2025, 06:32
Static task
static1
Behavioral task
behavioral1
Sample
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
Resource
win10v2004-20250129-en
General
-
Target
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe
-
Size
1.1MB
-
MD5
909a37e97faff915cd4906fe7684ec63
-
SHA1
5ae37a8ae70e36e9cf4f9e8895045f77eca11c51
-
SHA256
a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
-
SHA512
58bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d
-
SSDEEP
24576:bAHnh+eWsN3skA4RV1Hom2KXFmIaQtS2rEDjuKsV5U5j5:2h+ZkldoPK1XaQtvEDqTV5UL
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8043603189:AAFpR2ormgQgQpP5aDirNgZd72aHXUsGdlI/sendMessage?chat_id=2135869667
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\savagenesses.vbs savagenesses.exe -
Executes dropped EXE 1 IoCs
pid Process 3968 savagenesses.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 checkip.dyndns.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/files/0x0008000000023c76-16.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3968 set thread context of 4548 3968 savagenesses.exe 86 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language savagenesses.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4548 RegSvcs.exe 4548 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3968 savagenesses.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4548 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 3968 savagenesses.exe 3968 savagenesses.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 3968 savagenesses.exe 3968 savagenesses.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 840 wrote to memory of 3968 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 85 PID 840 wrote to memory of 3968 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 85 PID 840 wrote to memory of 3968 840 a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe 85 PID 3968 wrote to memory of 4548 3968 savagenesses.exe 86 PID 3968 wrote to memory of 4548 3968 savagenesses.exe 86 PID 3968 wrote to memory of 4548 3968 savagenesses.exe 86 PID 3968 wrote to memory of 4548 3968 savagenesses.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\parachronism\savagenesses.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD5efa36559459d8a95d5d29596030bb9cb
SHA1dd4292faa0dc9430ab8a56ebaa29e3de2169e20d
SHA256cf2cd6d65a7e9be25f5fcdbbb17d69142fe1af0295a9b43328db77e91a94067c
SHA512cef22a7688400302f337d27f27697da7c7f4bbac78b7c7c0b302b69fe9113399b12a8f0fb94639209442c530a5e24fba5c939af4f5ac1e0c7c0a91a355c47ec0
-
Filesize
58KB
MD52533f891e58ed20a758e7d7694e14cce
SHA189058b25ad725522939f4d1a66cd53d706ae124b
SHA256bd1f6f108b7d53e1274736692946d1fa28e51cafa3320912edced0258ec90f6c
SHA512f35ced1276857655c358f6e7f5600cd2f9c89c20d9ac6ab3b0c4bed45c816c730ecee0f0012268c846faf7236e3e245327c7f2405cff69f8660a812a2b940747
-
Filesize
1.1MB
MD5909a37e97faff915cd4906fe7684ec63
SHA15ae37a8ae70e36e9cf4f9e8895045f77eca11c51
SHA256a15eb8020f01e743035823a05c7417a4ef31eaf02dee24af25cd03326561c17f
SHA51258bb45c2d55b4602852c0921f9aa39f3a09645689beea49b7408ce44da75eb9f9701effc765f3808e8d79eaefa9fc49531719e3d334d1d21e54ca35f78cac25d