Analysis Overview
SHA256
dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f
Threat Level: Known bad
The file Teklif Talebi - Talep No-25T1847_docx.exe was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Vipkeylogger family
Drops startup file
Executes dropped EXE
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
AutoIT Executable
System Location Discovery: System Language Discovery
Browser Information Discovery
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
outlook_office_path
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-01 07:22
Signatures
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-01 07:22
Reported
2025-07-01 07:25
Platform
win10v2004-20250610-en
Max time kernel
105s
Max time network
148s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\subbasaltic.vbs | C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | reallyfreegeoip.org | N/A | N/A |
| N/A | checkip.dyndns.org | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4040 set thread context of 4804 | N/A | C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3001560346-2020497773-4190896137-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe
"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe
"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Users\Admin\AppData\Local\Temp\Teklif Talebi - Talep No-25T1847_docx.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.112.1:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/2948-6-0x0000000000BB0000-0x0000000000FB0000-memory.dmp
C:\Users\Admin\AppData\Local\emboweling\subbasaltic.exe
| MD5 | a0256a1a007911f53f83941f5afa5d16 |
| SHA1 | 549d496171239b5a8c6563c84447d701c7ab4180 |
| SHA256 | dc717f613c531df66e04f17cb2718064c1e3f469c585008eebf98cd69928274f |
| SHA512 | dd9b0b755c92d4c83e351997f9f0aae16b42a3661e8be4a2b8bf816490d37d5405d52edf3bcfc96d3a7d03139f1fa782cda9d4bc8b307fcc64054fe7072079c2 |
C:\Users\Admin\AppData\Local\Temp\poufs
| MD5 | 515efbbe56567cb8d624c9f03d82a64b |
| SHA1 | a34f3acbab65d8173a962a7e587ad99c7a59a06a |
| SHA256 | 284411cd6dec4817149a727a028a01c5accc4e44843ec3be3692dee7f983ed34 |
| SHA512 | 768c155fd75f8847eb71e5b116e2ceb4891f0364fbf04a27bc9a09dcc8df232b5c8be0535bbe1d72b6a03d35e99f896cc86d45aa52d81c4ce6ac96d5ad3a18b4 |
memory/4040-18-0x0000000001AA0000-0x0000000001EA0000-memory.dmp
memory/4804-20-0x0000000000400000-0x0000000000448000-memory.dmp
memory/4804-21-0x0000000005A70000-0x0000000006014000-memory.dmp
memory/4804-22-0x0000000005570000-0x000000000560C000-memory.dmp
memory/4804-23-0x0000000005510000-0x0000000005520000-memory.dmp
memory/4804-24-0x0000000006A00000-0x0000000006BC2000-memory.dmp
memory/4804-25-0x00000000068A0000-0x00000000068F0000-memory.dmp
memory/4804-26-0x0000000005510000-0x0000000005520000-memory.dmp
memory/4804-27-0x0000000006CD0000-0x0000000006D62000-memory.dmp
memory/4804-28-0x00000000069F0000-0x00000000069FA000-memory.dmp