Analysis
-
max time kernel
61s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 07:29
Static task
static1
Behavioral task
behavioral1
Sample
Nuevoorden.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Nuevoorden.exe
Resource
win10v2004-20240802-en
General
-
Target
Nuevoorden.exe
-
Size
751KB
-
MD5
b5a2ef2c6689309411a7245eed77a129
-
SHA1
9b8e96b0fc8ab0009fc9e4ec78167990b272b152
-
SHA256
991c4d654a9138c4e2836aa29c45687483ab716feba5cec59cd947981ba888f1
-
SHA512
13d1a962fd3350efc5cb0ac447bd2c1f57dff240abb0aba4134b03a540fa2fad1fb89f428fe58333c174ca49f6744d5cac06c282b890908762dead2f8fac53c1
-
SSDEEP
12288:73TPYVXAKjvDTHhGC05IAAlFV64eXLdUxcDVp4NgIIiO0CmNHGYUuRcte0Dw:wVrjfHhWr74IJpDVpmIiO0rHVRieh
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.fr - Port:
587 - Username:
[email protected] - Password:
HSBcargo_22 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2576 powershell.exe 2916 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
Nuevoorden.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Nuevoorden.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Nuevoorden.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Nuevoorden.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Nuevoorden.exedescription pid process target process PID 2024 set thread context of 2776 2024 Nuevoorden.exe Nuevoorden.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeschtasks.exeNuevoorden.exeNuevoorden.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nuevoorden.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nuevoorden.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Nuevoorden.exeNuevoorden.exepowershell.exepowershell.exepid process 2024 Nuevoorden.exe 2024 Nuevoorden.exe 2776 Nuevoorden.exe 2576 powershell.exe 2916 powershell.exe 2776 Nuevoorden.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Nuevoorden.exeNuevoorden.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2024 Nuevoorden.exe Token: SeDebugPrivilege 2776 Nuevoorden.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2916 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
Nuevoorden.exedescription pid process target process PID 2024 wrote to memory of 2576 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2576 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2576 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2576 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2916 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2916 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2916 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2916 2024 Nuevoorden.exe powershell.exe PID 2024 wrote to memory of 2816 2024 Nuevoorden.exe schtasks.exe PID 2024 wrote to memory of 2816 2024 Nuevoorden.exe schtasks.exe PID 2024 wrote to memory of 2816 2024 Nuevoorden.exe schtasks.exe PID 2024 wrote to memory of 2816 2024 Nuevoorden.exe schtasks.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe PID 2024 wrote to memory of 2776 2024 Nuevoorden.exe Nuevoorden.exe -
outlook_office_path 1 IoCs
Processes:
Nuevoorden.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Nuevoorden.exe -
outlook_win_path 1 IoCs
Processes:
Nuevoorden.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Nuevoorden.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nuevoorden.exe"C:\Users\Admin\AppData\Local\Temp\Nuevoorden.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Nuevoorden.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aCOIXvwQnAklD.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aCOIXvwQnAklD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFED8.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2816
-
-
C:\Users\Admin\AppData\Local\Temp\Nuevoorden.exe"C:\Users\Admin\AppData\Local\Temp\Nuevoorden.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2776
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5599a6de84f4c7e2be5a65675ff5dd147
SHA1ad4e1c0892d4e3a065337cf5841e58b64e195c43
SHA2565789d628b8bf78faf2ab163283fadc31a94e48e5fef514be0a2338f91644000b
SHA512425763adf45a5339c64b89db3716675880db7673d45bc069dd29c79afc2f0210a4661f3ee446f11f55280c4e428ad28183fda54daa5d2dcac5afad7c94ba887c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD579de47d2c93257214084ac449c47a37d
SHA135932ac3fce17775dbb299e1117e63ba4dda51b2
SHA256f3c5dbbab288016982a5449ea5ef584e1cf8e8f69959b2b9d60f4cb4c195b971
SHA512dc870795f55ed7330d836485d71096703a76bb42faff7795e48535a6e22459743803131ea2db607aa01875c391081e5a9908388fccd67b5daf85738b86c43d3b