Analysis
-
max time kernel
121s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 11:17
Static task
static1
Behavioral task
behavioral1
Sample
Todaslasfacturas.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Todaslasfacturas.exe
Resource
win10v2004-20240802-en
General
-
Target
Todaslasfacturas.exe
-
Size
751KB
-
MD5
102c9ce1c659517c4ea924c2044305b7
-
SHA1
942b0a7e2077eca38b9b6ff16d89722cbbbf7002
-
SHA256
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
-
SHA512
eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6
-
SSDEEP
12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.pymetal.net - Port:
587 - Username:
[email protected] - Password:
21hnosgomezrecambios2021 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1360 powershell.exe 2784 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Todaslasfacturas.exedescription pid process target process PID 2172 set thread context of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Todaslasfacturas.exepowershell.exepowershell.exeschtasks.exeTodaslasfacturas.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Todaslasfacturas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Todaslasfacturas.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
Todaslasfacturas.exeTodaslasfacturas.exepowershell.exepowershell.exepid process 2172 Todaslasfacturas.exe 2172 Todaslasfacturas.exe 2172 Todaslasfacturas.exe 2172 Todaslasfacturas.exe 2172 Todaslasfacturas.exe 2172 Todaslasfacturas.exe 2632 Todaslasfacturas.exe 1360 powershell.exe 2784 powershell.exe 2632 Todaslasfacturas.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Todaslasfacturas.exeTodaslasfacturas.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2172 Todaslasfacturas.exe Token: SeDebugPrivilege 2632 Todaslasfacturas.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2784 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Todaslasfacturas.exedescription pid process target process PID 2172 wrote to memory of 1360 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 1360 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 1360 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 1360 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 2784 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 2784 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 2784 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 2784 2172 Todaslasfacturas.exe powershell.exe PID 2172 wrote to memory of 2216 2172 Todaslasfacturas.exe schtasks.exe PID 2172 wrote to memory of 2216 2172 Todaslasfacturas.exe schtasks.exe PID 2172 wrote to memory of 2216 2172 Todaslasfacturas.exe schtasks.exe PID 2172 wrote to memory of 2216 2172 Todaslasfacturas.exe schtasks.exe PID 2172 wrote to memory of 2252 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2252 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2252 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2252 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2872 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2872 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2872 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2872 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe PID 2172 wrote to memory of 2632 2172 Todaslasfacturas.exe Todaslasfacturas.exe -
outlook_office_path 1 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe -
outlook_win_path 1 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AcEnrS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC6B9.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2216
-
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵PID:2252
-
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵PID:2872
-
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2632
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5056ca7c07061374c9311a0e058b03d86
SHA1f4680ddd30910754d080399b5d16f1114e96d0bf
SHA256ee181af4628ccf2ead17d1abb41fc1885ac47863320fe428e5b3f07684d6d16c
SHA512bba6d4fac9e06580a3adb7747fd4d888db1ef3714726366bf806c7116447dbd979de314e47547fe78492f0586c18e34d5c766758957a49197d5745fa2ffec8d9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5dda418155ea1a654fbe1a0cee35af3cb
SHA1f90dac2815b9a82dba73c1d6d67ca6c7e3422d02
SHA2566f80044405b5cf33b82ba0f61b71bdb82d09be6e2b998e9b7c1e69191a13b2d9
SHA51233168819c07cad23d200d96a65c39f235c430bc6f5146e5308fe9b2ef1467732e309b0ff9d72946072ecd40d7227abd71ed2d4dd6dff4dab8b5665b753751138