Analysis
-
max time kernel
120s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 05:13
Static task
static1
Behavioral task
behavioral1
Sample
FACTURA.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
FACTURA.exe
Resource
win10v2004-20240802-en
General
-
Target
FACTURA.exe
-
Size
865KB
-
MD5
158d8d8e57ad1e305fce17d3e277cc6f
-
SHA1
0ee2ca41f4b1898838fbd3c5c44baf124c21f4fb
-
SHA256
51466536fb4a4b2f46c0344206795c49ca7a95ab1179c3c7c269a80623589477
-
SHA512
4532aae393c59d63def7feb58bafa3530a7c77def52aa44892e76b72353f1fcd416ac388e8445be7041a370a72e4df692abbab899ff0a3afd9a87be4588d608b
-
SSDEEP
12288:tTv21WRE10veA7aUJc+QS+shiCp++qsqwFnyZ7l:Fv2Q71W/OhPZryZ
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
smtp.ionos.es - Port:
587 - Username:
[email protected] - Password:
102#Nova#Resid2 - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 584 powershell.exe 2140 powershell.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
FACTURA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 checkip.dyndns.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FACTURA.exedescription pid process target process PID 1732 set thread context of 1808 1732 FACTURA.exe FACTURA.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
FACTURA.exepowershell.exepowershell.exeschtasks.exeFACTURA.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACTURA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FACTURA.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
FACTURA.exeFACTURA.exepowershell.exepowershell.exepid process 1732 FACTURA.exe 1732 FACTURA.exe 1808 FACTURA.exe 584 powershell.exe 2140 powershell.exe 1808 FACTURA.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
FACTURA.exeFACTURA.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1732 FACTURA.exe Token: SeDebugPrivilege 1808 FACTURA.exe Token: SeDebugPrivilege 584 powershell.exe Token: SeDebugPrivilege 2140 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
FACTURA.exedescription pid process target process PID 1732 wrote to memory of 584 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 584 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 584 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 584 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 2140 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 2140 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 2140 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 2140 1732 FACTURA.exe powershell.exe PID 1732 wrote to memory of 2728 1732 FACTURA.exe schtasks.exe PID 1732 wrote to memory of 2728 1732 FACTURA.exe schtasks.exe PID 1732 wrote to memory of 2728 1732 FACTURA.exe schtasks.exe PID 1732 wrote to memory of 2728 1732 FACTURA.exe schtasks.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe PID 1732 wrote to memory of 1808 1732 FACTURA.exe FACTURA.exe -
outlook_office_path 1 IoCs
Processes:
FACTURA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA.exe -
outlook_win_path 1 IoCs
Processes:
FACTURA.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FACTURA.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:584 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jGcAjS.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jGcAjS" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7DF.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2728 -
C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"C:\Users\Admin\AppData\Local\Temp\FACTURA.exe"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1808
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d7d16165f81747c7b6aa55d14e03d564
SHA1c2b1a3de7293b467f9275aa15296eb6bc1a369cd
SHA256254bdc06557f0f44a863d5b90ebc523629259ece19bd68e92f2b717de545d837
SHA512a0ef335930a6ea5c45472feb1f1de983bb15b764b6c8e0dd72177153791402445d16c3362a5b66baeb26ae855607dcf8b30b0b3882a4a8e7828a494c520d6a3a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JN7G6XSIOSWJG2F39I8P.temp
Filesize7KB
MD5bc23c4aae32eac2c64d99f311e21e153
SHA1b1f161ce81bee85a17dee1660bc75f2fbc7119c2
SHA256568071aed65b32cb9d809b64c96fc6a4bcc1c0dd35d9a6eac5a46db995e4d201
SHA5125cb6a42aa6174e63bcb7577122e2b8727ca542311db95523c8a39690a6c47904f713f73ee998168ec1931fca5895b7c7b9fba7e84276ca77b3aec0ae4ca44e08