Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 11:17
Static task
static1
Behavioral task
behavioral1
Sample
Todaslasfacturas.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Todaslasfacturas.exe
Resource
win10v2004-20240802-en
General
-
Target
Todaslasfacturas.exe
-
Size
751KB
-
MD5
102c9ce1c659517c4ea924c2044305b7
-
SHA1
942b0a7e2077eca38b9b6ff16d89722cbbbf7002
-
SHA256
b31cbc6ec2eb2b790c422f0f960bb1436106d92958703cb005ccdef38887e310
-
SHA512
eca6ed6a871e9fbee67feb73534bff544f052d6b3e1058a68b4602f159f089193f0f576384e6cd49373d50200d71bb4aeadd151c0fb81a77a6246849af2f39f6
-
SSDEEP
12288:L3TmP4kyFSnIZgc1D7COp2JwlmsxS4kZHtfi390V+KA7rC7LOmDZ:2gBOI9D7CO0JqTSRNfiQsG7LOmD
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.pymetal.net - Port:
587 - Username:
[email protected] - Password:
21hnosgomezrecambios2021 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2840 powershell.exe 4240 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Todaslasfacturas.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation Todaslasfacturas.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Todaslasfacturas.exedescription pid process target process PID 3560 set thread context of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeTodaslasfacturas.exeTodaslasfacturas.exepowershell.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Todaslasfacturas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Todaslasfacturas.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
Todaslasfacturas.exepowershell.exepowershell.exeTodaslasfacturas.exepid process 3560 Todaslasfacturas.exe 2840 powershell.exe 4240 powershell.exe 3560 Todaslasfacturas.exe 1712 Todaslasfacturas.exe 2840 powershell.exe 4240 powershell.exe 1712 Todaslasfacturas.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Todaslasfacturas.exepowershell.exepowershell.exeTodaslasfacturas.exedescription pid process Token: SeDebugPrivilege 3560 Todaslasfacturas.exe Token: SeDebugPrivilege 2840 powershell.exe Token: SeDebugPrivilege 4240 powershell.exe Token: SeDebugPrivilege 1712 Todaslasfacturas.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Todaslasfacturas.exedescription pid process target process PID 3560 wrote to memory of 2840 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 2840 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 2840 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 4240 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 4240 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 4240 3560 Todaslasfacturas.exe powershell.exe PID 3560 wrote to memory of 348 3560 Todaslasfacturas.exe schtasks.exe PID 3560 wrote to memory of 348 3560 Todaslasfacturas.exe schtasks.exe PID 3560 wrote to memory of 348 3560 Todaslasfacturas.exe schtasks.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe PID 3560 wrote to memory of 1712 3560 Todaslasfacturas.exe Todaslasfacturas.exe -
outlook_office_path 1 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe -
outlook_win_path 1 IoCs
Processes:
Todaslasfacturas.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Todaslasfacturas.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AcEnrS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AcEnrS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2FD.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:348
-
-
C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"C:\Users\Admin\AppData\Local\Temp\Todaslasfacturas.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
18KB
MD51fe5a44f160f102210442557fc91b8c1
SHA1530a3022dcac7aeba3f932719cd06ac01a19c2b3
SHA256a6af423dafc8545af5679a65de220c33ace4232108f9ef6cf37e9777a3ac8b0c
SHA512b78b165243c525b7e8f8d9492db18b8aa4d7381102c4d37d5f0ee0a829310e6a160a5f5a0a38934b103ed0ad9d6873d747cae373f84810bde296f994e2c262e4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD517160ac46f7ead09f73f1976fe2d4f60
SHA1bcdafc27d61dcafd5230be302fdca82582bc7562
SHA256a70a6f79dd9b6b393a921ea4cb10172726ee8e84228103f14f5f97bf32e9dd00
SHA5127df55292e3f76f08be7898f3cfa942770e8c1454c94b4c386e054b1160387929edb5e7ffbd907a08f5b75da40a50e898a7ad10b3dccae129efb2731ff068a1fd