Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
CERTIFICADO TITULARIDAD.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CERTIFICADO TITULARIDAD.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
CERTIFICADO TITULARIDAD.exe
-
Size
573KB
-
MD5
597971be325bbba1df725a7c101a4c58
-
SHA1
90e6b7d6c632cc6fb0d5641ec9b987d5e3387397
-
SHA256
535d29bedc8c720ed7daaeb5e8d79c650b21664d72bad77106eb518975be223b
-
SHA512
ca6f8eab690ab14fcabb7571deba25edeac92bc0167df73607effeec9f1eb680034969b1feda6d62a6002bbea100a4876800bef1d5058033bc7642fc664cf7bb
-
SSDEEP
12288:bXjIKeMQ2PATRg+s/iJplEElhvfTsjzMw1LwKpmkz:bXjIKRQFRC/yTEELD81cCtz
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU/sendMessage?chat_id=7698865320
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3048 CERTIFICADO TITULARIDAD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3068 CERTIFICADO TITULARIDAD.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CERTIFICADO TITULARIDAD.exeCERTIFICADO TITULARIDAD.exepid Process 3048 CERTIFICADO TITULARIDAD.exe 3068 CERTIFICADO TITULARIDAD.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process procid_target PID 3048 set thread context of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CERTIFICADO TITULARIDAD.exeCERTIFICADO TITULARIDAD.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CERTIFICADO TITULARIDAD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CERTIFICADO TITULARIDAD.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3068 CERTIFICADO TITULARIDAD.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3048 CERTIFICADO TITULARIDAD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process Token: SeDebugPrivilege 3068 CERTIFICADO TITULARIDAD.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process procid_target PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31 PID 3048 wrote to memory of 3068 3048 CERTIFICADO TITULARIDAD.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3068
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d