Analysis
-
max time kernel
143s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-11-2024 14:26
Static task
static1
Behavioral task
behavioral1
Sample
CERTIFICADO TITULARIDAD.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
CERTIFICADO TITULARIDAD.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
General
-
Target
CERTIFICADO TITULARIDAD.exe
-
Size
573KB
-
MD5
597971be325bbba1df725a7c101a4c58
-
SHA1
90e6b7d6c632cc6fb0d5641ec9b987d5e3387397
-
SHA256
535d29bedc8c720ed7daaeb5e8d79c650b21664d72bad77106eb518975be223b
-
SHA512
ca6f8eab690ab14fcabb7571deba25edeac92bc0167df73607effeec9f1eb680034969b1feda6d62a6002bbea100a4876800bef1d5058033bc7642fc664cf7bb
-
SSDEEP
12288:bXjIKeMQ2PATRg+s/iJplEElhvfTsjzMw1LwKpmkz:bXjIKRQFRC/yTEELD81cCtz
Malware Config
Extracted
vipkeylogger
https://api.telegram.org/bot8148338634:AAFvLNrhxaF7bMPzQMLbUnueRMJvDIi5kcU/sendMessage?chat_id=7698865320
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Vipkeylogger family
-
Loads dropped DLL 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3552 CERTIFICADO TITULARIDAD.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CERTIFICADO TITULARIDAD.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CERTIFICADO TITULARIDAD.exe Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CERTIFICADO TITULARIDAD.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 43 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 4836 CERTIFICADO TITULARIDAD.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
CERTIFICADO TITULARIDAD.exeCERTIFICADO TITULARIDAD.exepid Process 3552 CERTIFICADO TITULARIDAD.exe 4836 CERTIFICADO TITULARIDAD.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process procid_target PID 3552 set thread context of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
CERTIFICADO TITULARIDAD.exeCERTIFICADO TITULARIDAD.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CERTIFICADO TITULARIDAD.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CERTIFICADO TITULARIDAD.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 4836 CERTIFICADO TITULARIDAD.exe 4836 CERTIFICADO TITULARIDAD.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exepid Process 3552 CERTIFICADO TITULARIDAD.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process Token: SeDebugPrivilege 4836 CERTIFICADO TITULARIDAD.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription pid Process procid_target PID 3552 wrote to memory of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 PID 3552 wrote to memory of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 PID 3552 wrote to memory of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 PID 3552 wrote to memory of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 PID 3552 wrote to memory of 4836 3552 CERTIFICADO TITULARIDAD.exe 94 -
outlook_office_path 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CERTIFICADO TITULARIDAD.exe -
outlook_win_path 1 IoCs
Processes:
CERTIFICADO TITULARIDAD.exedescription ioc Process Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 CERTIFICADO TITULARIDAD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"C:\Users\Admin\AppData\Local\Temp\CERTIFICADO TITULARIDAD.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4836
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD54add245d4ba34b04f213409bfe504c07
SHA1ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA2569111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA5121bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d