Malware Analysis Report

2024-11-30 15:00

Sample ID 241030-q9shxavdjc
Target FacturaHonorarios2024-10.exe
SHA256 edf915e141af931f3bf0174a430576b7f7493449bdb1a4275515d0fe0a24fd8c
Tags
discovery vipkeylogger keylogger stealer collection spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

edf915e141af931f3bf0174a430576b7f7493449bdb1a4275515d0fe0a24fd8c

Threat Level: Known bad

The file FacturaHonorarios2024-10.exe was found to be: Known bad.

Malicious Activity Summary

discovery vipkeylogger keylogger stealer collection spyware

Vipkeylogger family

VIPKeylogger

Loads dropped DLL

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Program crash

Unsigned PE

Enumerates physical storage devices

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious use of AdjustPrivilegeToken

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 13:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-30 13:58

Reported

2024-10-30 14:00

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1600 wrote to memory of 1544 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1544 -ip 1544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 13:58

Reported

2024-10-30 14:00

Platform

win7-20241010-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2756 set thread context of 2628 N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\olieaffald\Unconsummative103.pro C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
File opened for modification C:\Windows\rocksanger\noninfluential.ini C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

\Users\Admin\AppData\Local\Temp\nsd4828.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/2756-14-0x0000000077C81000-0x0000000077D82000-memory.dmp

memory/2756-15-0x0000000077C80000-0x0000000077E29000-memory.dmp

memory/2628-16-0x0000000077C80000-0x0000000077E29000-memory.dmp

memory/2628-23-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/2628-39-0x00000000004A0000-0x0000000001502000-memory.dmp

memory/2628-40-0x0000000077C80000-0x0000000077E29000-memory.dmp

memory/2628-41-0x00000000004A0000-0x00000000004E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 13:58

Reported

2024-10-30 14:00

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2488 set thread context of 2076 N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\resources\olieaffald\Unconsummative103.pro C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
File opened for modification C:\Windows\rocksanger\noninfluential.ini C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe

"C:\Users\Admin\AppData\Local\Temp\FacturaHonorarios2024-10.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nstA960.tmp\System.dll

MD5 fc90dfb694d0e17b013d6f818bce41b0
SHA1 3243969886d640af3bfa442728b9f0dff9d5f5b0
SHA256 7fe77ca13121a113c59630a3dba0c8aaa6372e8082393274da8f8608c4ce4528
SHA512 324f13aa7a33c6408e2a57c3484d1691ecee7c3c1366de2bb8978c8dc66b18425d8cab5a32d1702c13c43703e36148a022263de7166afdce141da2b01169f1c6

memory/2488-14-0x0000000077851000-0x0000000077971000-memory.dmp

memory/2488-15-0x0000000077851000-0x0000000077971000-memory.dmp

memory/2488-16-0x0000000010004000-0x0000000010005000-memory.dmp

memory/2076-17-0x00000000778D8000-0x00000000778D9000-memory.dmp

memory/2076-18-0x00000000778F5000-0x00000000778F6000-memory.dmp

memory/2076-28-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2076-32-0x00000000004A0000-0x00000000016F4000-memory.dmp

memory/2076-33-0x0000000077851000-0x0000000077971000-memory.dmp

memory/2076-34-0x000000007274E000-0x000000007274F000-memory.dmp

memory/2076-35-0x00000000004A0000-0x00000000004E8000-memory.dmp

memory/2076-36-0x0000000039FA0000-0x000000003A544000-memory.dmp

memory/2076-37-0x0000000039ED0000-0x0000000039F6C000-memory.dmp

memory/2076-38-0x0000000072740000-0x0000000072EF0000-memory.dmp

memory/2076-40-0x000000003AAD0000-0x000000003AC92000-memory.dmp

memory/2076-41-0x000000003ACA0000-0x000000003ACF0000-memory.dmp

memory/2076-42-0x000000007274E000-0x000000007274F000-memory.dmp

memory/2076-43-0x0000000072740000-0x0000000072EF0000-memory.dmp

memory/2076-45-0x000000003AD40000-0x000000003ADD2000-memory.dmp

memory/2076-46-0x000000003AE10000-0x000000003AE1A000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-30 13:58

Reported

2024-10-30 14:00

Platform

win7-20240903-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 224

Network

N/A

Files

N/A