Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-10-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
Produccion.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Produccion.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
Produccion.exe
-
Size
785KB
-
MD5
632bb0a566efd66ed7fdb905ea8c9803
-
SHA1
4c3e846fe594e7e10f5ed4f0d0a13de7290b4077
-
SHA256
b77de0fb855cd859678fd1d16e03af3114cde9b3f0636d0fb7b9674eae14fd35
-
SHA512
f525a1a238b3587ccef06f4baaa00bcdef362840ceb22d475c39a4b0d2b6abe1447959d9fe67bad45a082a0faff1c9ab7c8c71902bcd79b9201fb154cd297325
-
SSDEEP
12288:XDGxeWd8KhML5xEfN5JPafaM8czPA2f1gLd1U0jgaTeiZdHawb:W3ddhMLTElzPYaMtzP/9gLdO0VTnH
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot7902160942:AAGa4NniMhqzlNHvfBDtJeHrHFJi_wqVTDY/sendMessage?chat_id=7698865320
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Loads dropped DLL 1 IoCs
Processes:
Produccion.exepid process 2364 Produccion.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Produccion.exepid process 1964 Produccion.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
Produccion.exeProduccion.exepid process 2364 Produccion.exe 1964 Produccion.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Produccion.exedescription pid process target process PID 2364 set thread context of 1964 2364 Produccion.exe Produccion.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Produccion.exeProduccion.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Produccion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Produccion.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Produccion.exepid process 1964 Produccion.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Produccion.exepid process 2364 Produccion.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Produccion.exedescription pid process Token: SeDebugPrivilege 1964 Produccion.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Produccion.exedescription pid process target process PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe PID 2364 wrote to memory of 1964 2364 Produccion.exe Produccion.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Produccion.exe"C:\Users\Admin\AppData\Local\Temp\Produccion.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Users\Admin\AppData\Local\Temp\Produccion.exe"C:\Users\Admin\AppData\Local\Temp\Produccion.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD5ee260c45e97b62a5e42f17460d406068
SHA1df35f6300a03c4d3d3bd69752574426296b78695
SHA256e94a1f7bcd7e0d532b660d0af468eb3321536c3efdca265e61f9ec174b1aef27
SHA512a98f350d17c9057f33e5847462a87d59cbf2aaeda7f6299b0d49bb455e484ce4660c12d2eb8c4a0d21df523e729222bbd6c820bf25b081bc7478152515b414b3