Overview

overview

10

Static

static

5

PO# ENQ8864.Pdf.exe

windows7-x64

10

PO# ENQ8864.Pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    24/02/2025, 08:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO# ENQ8864.Pdf.exe

  • Size

    1.2MB

  • MD5

    ce5d04c4d15b7ae968c0f2cd2a81387d

  • SHA1

    4d7334d66cdff4a0f1c3ddce81db245a1e3469c2

  • SHA256

    74feceb928f3cd0ca47312eac2718f4210bce399335fd341bdeb456b2a09a230

  • SHA512

    4f2e621a18373f71fdcb583e4c0777be10913ec41647f12919efef5b54d762170199e2e84e347f84a447f388ba3f1b61336f0d1e607988a3b0b061645f58445e

  • SSDEEP

    24576:K5xolYQY6Du6J33O0c+JY5UZ+XC0kGso6Faa1Bs3jWY3:dYSu0c++OCvkGs9FaavsSY3

Score
10/10
vipkeyloggercollectiondefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials
C2

https://api.telegram.org/bot7391124277:AAEAD7k2_c00owq0kQIitLTWNNPqqi9m41c/sendMessage?chat_id=7128988401

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    defense_evasion
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO# ENQ8864.Pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\PO# ENQ8864.Pdf.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2644
    • \??\c:\users\admin\appdata\local\temp\po# enq8864.pdf.exe 
      "c:\users\admin\appdata\local\temp\po# enq8864.pdf.exe "
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2784
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "c:\users\admin\appdata\local\temp\po# enq8864.pdf.exe "
        3⤵
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2032
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2696
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2648
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2656
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1972
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2372
            • C:\Windows\SysWOW64\at.exe
              at 08:20 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1484
            • C:\Windows\SysWOW64\at.exe
              at 08:21 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2836
            • C:\Windows\SysWOW64\at.exe
              at 08:22 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\po# enq8864.pdf.exe 
    Filesize

    990KB

    MD5

    09116ff12f2338350afa3daa9456fd82

    SHA1

    2dee1fc92e2c16b7ae08df60c20b009535a934c8

    SHA256

    a2348624313de5d142fb8bea25335b37aa7ce22515e55d63093830b23d8aee75

    SHA512

    7e8dbd9791163ff7dfbb3a31abf32cfc69794e6b7e8d0b0ff454895e7d2e060decdd13a79ba96beb8400120c4952b8e96287dbda9b56696bd1c379a5ebed2138

    Download Submit

  • C:\Users\Admin\AppData\Local\icsys.icn.exe
    Filesize

    274KB

    MD5

    24a924dc08b89e69e1319e9489a65614

    SHA1

    6e8b3b374ab5ec6f1e282151a002b35ed0f200e4

    SHA256

    67eb69b20adc8794c6e7fce09ca2366e086f3421c081cff6711df1a8bd9c03b6

    SHA512

    c1b7fce1e07b967bddd806f024278d7aee950ebeff5e03e9fd219baff10b2ae28de15c47327feef4cc1057a9187866f5bae1e7b35b3d1236971ffcedca4a9665

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    274KB

    MD5

    53880e59d27ac62017cbaa04e6c2aa67

    SHA1

    8c1087b15464f9f9908bccb051474b325f4bc2f8

    SHA256

    97f0aea4354b574b985f8719d194e5e5bacd3d80306e16643df859ece881a893

    SHA512

    5e3608a62c2cafe8b4bc5f3d50ad98f943ce1ad21024f80bbe9712c40feed1da10beb78e9d7bb0df98f72cfac3c3cab633a783aafa0d01c497e71d2d464e06cd

    Download Submit

  • \Windows\system\explorer.exe
    Filesize

    274KB

    MD5

    0f3d5e4a4cae2fdd615bda1281830018

    SHA1

    b83175152e4ffa7f10ae4a93ccd1273da98c01cb

    SHA256

    edd246995b8a0663aecb5050eb3ba8e55f72000d938d7aa0cfea4dba2d1236c9

    SHA512

    20503e98369945af4e3d88a596e41b304d1fd348694de80fe5d9592479829158f964330bbf77de90bdcc3670929adef3a2d63ed44da5d41ed36be66b3fc1d399

    Download Submit

  • \Windows\system\spoolsv.exe
    Filesize

    274KB

    MD5

    8bec4b94a2f7f5ec2bec4192ae7f901e

    SHA1

    d49ab48c31f2e310ce924b6d35d162bc142c5684

    SHA256

    16e2b3123bd83c54e7558611378b5782d301a15e3bbcb2cc8e6f39581b847e5e

    SHA512

    8192fe662534fa2a0e8848208539b438035681e7f11e890e0dfc7a0720d3a7c6987f2b128a8f21516a16181a13bd01991d3ab86b269a471279e0c89406f37c3c

    Download Submit

  • \Windows\system\svchost.exe
    Filesize

    274KB

    MD5

    fd4da5f4996466a5ba13215067ca6494

    SHA1

    70df09588e4a3fc12a45fa552f0a7698ebb37299

    SHA256

    d3e6532ccb977a5a5bc1ca7acd04bba0ad881fac7caa71157658bd69014fdfe3

    SHA512

    f1a75ffc0c233def0f3f331d8cad627480002cf9f8236580e40eb6ad26e7cb7feca8e3ef5c168fae9823b9885f56d6003b2c1af43cd15820da81c7babb75df76

    Download Submit

  • memory/1972-79-0x0000000001E00000-0x0000000001E3E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/1972-94-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2032-91-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-92-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2032-90-0x0000000000400000-0x000000000044A000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2372-83-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-28-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-89-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2644-30-0x00000000024B0000-0x00000000024EE000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2648-93-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2656-84-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2696-88-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2696-43-0x0000000001F60000-0x0000000001F9E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2696-29-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2784-47-0x0000000000120000-0x0000000000124000-memory.dmp

    Filesize

    16KB

    Download