Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-11-2024 14:26

General

  • Target

    CERTIFICADO TITULARIDAD.exe

  • Size

    573KB

  • MD5

    597971be325bbba1df725a7c101a4c58

  • SHA1

    90e6b7d6c632cc6fb0d5641ec9b987d5e3387397

  • SHA256

    535d29bedc8c720ed7daaeb5e8d79c650b21664d72bad77106eb518975be223b

  • SHA512

    ca6f8eab690ab14fcabb7571deba25edeac92bc0167df73607effeec9f1eb680034969b1feda6d62a6002bbea100a4876800bef1d5058033bc7642fc664cf7bb

  • SSDEEP

    12288:bXjIKeMQ2PATRg+s/iJplEElhvfTsjzMw1LwKpmkz:bXjIKRQFRC/yTEELD81cCtz

Malware Config

Extracted

Family

vipkeylogger

C2

https://api.telegram.org/bot8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU/sendMessage?chat_id=7698865320

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Vipkeylogger family
  • Loads dropped DLL 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe
    "C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe
      "C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoB26F.tmp\System.dll

    Filesize

    12KB

    MD5

    4add245d4ba34b04f213409bfe504c07

    SHA1

    ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

    SHA256

    9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

    SHA512

    1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

  • memory/3048-12-0x00000000770D1000-0x00000000771D2000-memory.dmp

    Filesize

    1.0MB

  • memory/3048-13-0x00000000770D0000-0x0000000077279000-memory.dmp

    Filesize

    1.7MB

  • memory/3068-14-0x00000000770D0000-0x0000000077279000-memory.dmp

    Filesize

    1.7MB

  • memory/3068-34-0x0000000000460000-0x00000000014C2000-memory.dmp

    Filesize

    16.4MB

  • memory/3068-35-0x0000000000460000-0x00000000004A8000-memory.dmp

    Filesize

    288KB