Analysis
-
max time kernel
122s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-09-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
rPEDIDO-M456.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
rPEDIDO-M456.exe
Resource
win10v2004-20240802-en
General
-
Target
rPEDIDO-M456.exe
-
Size
866KB
-
MD5
433fda0ddceae6820f653ff3318e6278
-
SHA1
6735afd7485703ea42db10b3154f1498cc39b1bd
-
SHA256
654069cec8d7cae811d77aff890bc5ce03c7c352290ccd6f6f18196fe04e0e53
-
SHA512
e4df64709ea1030b6672f6eb5fac273e17c31fa8e767bf62a83ac84a4bde12f3f7549cdbd85c60f54579d986c7ce520c4aebe4c0ba141f1beeeaa6883c0a19bd
-
SSDEEP
24576:Os4xlaVmok7zerjTiGoMOCUhdS2aNlwrjOlGgVi:Os4xlakTnefTijMg3UlwrKc
Malware Config
Extracted
Protocol: smtp- Host:
mail.renatoazenha.com - Port:
587 - Username:
[email protected] - Password:
^aKbevY7mhfP
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.renatoazenha.com - Port:
587 - Username:
[email protected] - Password:
^aKbevY7mhfP - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2808 powershell.exe 2920 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
rPEDIDO-M456.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rPEDIDO-M456.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rPEDIDO-M456.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rPEDIDO-M456.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rPEDIDO-M456.exedescription pid Process procid_target PID 2992 set thread context of 2472 2992 rPEDIDO-M456.exe 36 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rPEDIDO-M456.exepowershell.exepowershell.exeschtasks.exerPEDIDO-M456.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rPEDIDO-M456.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rPEDIDO-M456.exe -
Processes:
rPEDIDO-M456.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 rPEDIDO-M456.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 rPEDIDO-M456.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
rPEDIDO-M456.exerPEDIDO-M456.exepowershell.exepowershell.exepid Process 2992 rPEDIDO-M456.exe 2992 rPEDIDO-M456.exe 2472 rPEDIDO-M456.exe 2920 powershell.exe 2808 powershell.exe 2472 rPEDIDO-M456.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rPEDIDO-M456.exerPEDIDO-M456.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2992 rPEDIDO-M456.exe Token: SeDebugPrivilege 2472 rPEDIDO-M456.exe Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
rPEDIDO-M456.exedescription pid Process procid_target PID 2992 wrote to memory of 2808 2992 rPEDIDO-M456.exe 30 PID 2992 wrote to memory of 2808 2992 rPEDIDO-M456.exe 30 PID 2992 wrote to memory of 2808 2992 rPEDIDO-M456.exe 30 PID 2992 wrote to memory of 2808 2992 rPEDIDO-M456.exe 30 PID 2992 wrote to memory of 2920 2992 rPEDIDO-M456.exe 32 PID 2992 wrote to memory of 2920 2992 rPEDIDO-M456.exe 32 PID 2992 wrote to memory of 2920 2992 rPEDIDO-M456.exe 32 PID 2992 wrote to memory of 2920 2992 rPEDIDO-M456.exe 32 PID 2992 wrote to memory of 2628 2992 rPEDIDO-M456.exe 33 PID 2992 wrote to memory of 2628 2992 rPEDIDO-M456.exe 33 PID 2992 wrote to memory of 2628 2992 rPEDIDO-M456.exe 33 PID 2992 wrote to memory of 2628 2992 rPEDIDO-M456.exe 33 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 PID 2992 wrote to memory of 2472 2992 rPEDIDO-M456.exe 36 -
outlook_office_path 1 IoCs
Processes:
rPEDIDO-M456.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rPEDIDO-M456.exe -
outlook_win_path 1 IoCs
Processes:
rPEDIDO-M456.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rPEDIDO-M456.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\rPEDIDO-M456.exe"C:\Users\Admin\AppData\Local\Temp\rPEDIDO-M456.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\rPEDIDO-M456.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hguaKfzQDB.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hguaKfzQDB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp871A.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2628
-
-
C:\Users\Admin\AppData\Local\Temp\rPEDIDO-M456.exe"C:\Users\Admin\AppData\Local\Temp\rPEDIDO-M456.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2472
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58338f9ad714b445a85e8049315bf3445
SHA16872777271511f73d839d5a715d54e5a6c7f0914
SHA2568194a03944e667747311579333f88c2df085c5bf16d3f56c5b7fd4dd0e5a3e4a
SHA51263c238a98073f1507de6b2c454854cee5393003c15b1db2cc95d3d98ae24b1d111b9256dc43678da05525caa2775390b366dba3f24543cf5ec98971d2be3b1d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5188147564cd4c6c608cf6f76a4617f13
SHA13c20ceeba2c5babbf461ab6b1bdaa4112b62d705
SHA25686f29494b8198131d87f7dfeb9589e08578f23a88b71126d15fe68b540a0459b
SHA5122ca7156b0e15a2e8790dc307f6eb16b19d708e97fcb3fc597cfaf5dc2dc9893e0759e8c1f451cbc488bcd696990d97fbb226162fb405cf84f93b6557a617d43a