Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20250211-en -
resource tags
arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system -
submitted
11/02/2025, 15:27
Static task
static1
Behavioral task
behavioral1
Sample
Momskoden.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Momskoden.exe
Resource
win10v2004-20250211-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250207-en
General
-
Target
Momskoden.exe
-
Size
1.1MB
-
MD5
2aa166a2719616ff7ac82aae31277dc5
-
SHA1
dc700c6982137fb9f3cdd79b95a8539ebcc6841c
-
SHA256
95292a0804f091e9b5f726378631f330ba1fa117d5465ded18baf8153cbdff8a
-
SHA512
0bdb971d1f5c9e33c9800d14050a4933b613c42257129417d56aaf78bdf972b72619baccf84682a95f77cb11dd17cd4755c431a0b8fa60db64bff3cccbeec47c
-
SSDEEP
24576:cV8omiiDPDeynqve96wbfqiPACOedfHYNXNHA6a:cV8PPDPqve93/ACOdHAp
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7618867847:AAF14vnGvkJJYcxLyMVdR3OZPzd4TQzD_OY/sendMessage?chat_id=6070006284
Signatures
-
Guloader family
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 2 IoCs
pid Process 3684 Momskoden.exe 3684 Momskoden.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Momskoden.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Momskoden.exe Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Momskoden.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 1 drive.google.com 2 drive.google.com -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 checkip.dyndns.org 15 reallyfreegeoip.org 16 reallyfreegeoip.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3660 Momskoden.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3684 Momskoden.exe 3660 Momskoden.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Peppercorns241\septobasidium.ini Momskoden.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momskoden.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momskoden.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3660 Momskoden.exe 3660 Momskoden.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3684 Momskoden.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3660 Momskoden.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3684 wrote to memory of 3660 3684 Momskoden.exe 80 PID 3684 wrote to memory of 3660 3684 Momskoden.exe 80 PID 3684 wrote to memory of 3660 3684 Momskoden.exe 80 PID 3684 wrote to memory of 3660 3684 Momskoden.exe 80 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Momskoden.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3296967594-3563063956-581523229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Momskoden.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Momskoden.exe"C:\Users\Admin\AppData\Local\Temp\Momskoden.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\Momskoden.exe"C:\Users\Admin\AppData\Local\Temp\Momskoden.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3660
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD534442e1e0c2870341df55e1b7b3cccdc
SHA199b2fa21aead4b6ccd8ff2f6d3d3453a51d9c70c
SHA256269d232712c86983336badb40b9e55e80052d8389ed095ebf9214964d43b6bb1
SHA5124a8c57fb12997438b488b862f3fc9dc0f236e07bb47b2bce6053dcb03ac7ad171842f02ac749f02dda4719c681d186330524cd2953d33cb50854844e74b33d51