Overview

overview

10

Static

static

3

rpaidInvoice.exe

windows7-x64

10

rpaidInvoice.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/02/2025, 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rpaidInvoice.exe

  • Size

    843KB

  • MD5

    aeabfd0534b39c526c6617466af1d780

  • SHA1

    7ffff117692cbcdeec136abd9bd7b15813d3ca35

  • SHA256

    68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18

  • SHA512

    b7edcbda504deb93cfe9907eaf961dba3daf429e8d7f0442d6beab1e5741ced5810ba408d0787ef95e2a0d6b6169c4793223a05483b9c4c2c79540593c16010f

  • SSDEEP

    12288:ROovHlb/a13/KiTO5rry72+QwfgivOKFd01e0B:RZle1vHTO5r9Cl0B

Score
10/10
vipkeyloggerdiscoverykeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rpaidInvoice.exe
    "C:\Users\Admin\AppData\Local\Temp\rpaidInvoice.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4092
    • C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 15 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:3844
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 15
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2136
      • C:\Windows\SysWOW64\reg.exe
        REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,"
        3⤵
        • Modifies WinLogon for persistence
        • System Location Discovery: System Language Discovery
        PID:4116
    • C:\Users\Admin\AppData\Local\Temp\skype.exe
      "C:\Users\Admin\AppData\Local\Temp\skype.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1932
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 18 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,"
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 18
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4020
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe,"
          4⤵
          • Modifies WinLogon for persistence
          • System Location Discovery: System Language Discovery
          PID:412
      • C:\Windows\SysWOW64\cmd.exe
        "cmd" /c ping 127.0.0.1 -n 28 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 28 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
        3⤵
        • Drops startup file
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:4380
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 28
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2360
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1 -n 28
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1044
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2860
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3584
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3584 -s 1448
              6⤵
              • Program crash
              PID:2164
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3584 -ip 3584
    1⤵
      PID:2880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\skype.exe.log
      Filesize

      1KB

      MD5

      6c55b06a4699767d955765958f7233fe

      SHA1

      82d1323b694e9c217d0792c5ed466b89adb8fc30

      SHA256

      c5f2c8b47417b1b099f48964e09669704c349af2056560eb5812747d18cb3cd8

      SHA512

      bb4c819892be21ef7f0e8f0f8caa23b047698461ef926f07ab7efd508630de56e7dc5cbde310b37b93cc556986e921799383d11f2dff7c377049d64d40c89487

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
      Filesize

      843KB

      MD5

      aeabfd0534b39c526c6617466af1d780

      SHA1

      7ffff117692cbcdeec136abd9bd7b15813d3ca35

      SHA256

      68765775002699ff32978e8cd956899391b045e273cf944cba0a4c13af820d18

      SHA512

      b7edcbda504deb93cfe9907eaf961dba3daf429e8d7f0442d6beab1e5741ced5810ba408d0787ef95e2a0d6b6169c4793223a05483b9c4c2c79540593c16010f

      Download Submit

    • memory/1932-11-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1932-12-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1932-16-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1932-14-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1932-13-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2860-24-0x0000000002CE0000-0x0000000002CE6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2860-23-0x0000000005C20000-0x0000000005C3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3584-25-0x0000000000400000-0x000000000044A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/4092-7-0x0000000005430000-0x000000000543A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4092-0-0x00000000751FE000-0x00000000751FF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-10-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4092-8-0x0000000007250000-0x000000000777C000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/4092-3-0x00000000751F0000-0x00000000759A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4092-2-0x0000000005230000-0x00000000052CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4092-1-0x0000000000760000-0x0000000000838000-memory.dmp

      Filesize

      864KB

      Download

    • memory/4092-6-0x0000000005470000-0x0000000005502000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4092-5-0x0000000005980000-0x0000000005F24000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4092-4-0x0000000005140000-0x0000000005182000-memory.dmp

      Filesize

      264KB

      Download