Analysis

  • max time kernel
    120s
  • max time network
    134s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 07:16

General

  • Target

    ORDER CFC.docx

  • Size

    179KB

  • MD5

    413ed50fc5b7fc796c710bb1b0f02cc4

  • SHA1

    440c50be71fbe20648115bcd65b04a75940a833a

  • SHA256

    dcdd3c117ec0dc6af052496d1cc0d24da9b264f566e0e763380af879dfbcdf27

  • SHA512

    c47893f5b8cca2015ff4803d14dc8f04d857ee0478d62be8dd61f00d0e363de1c1c05b16cde5afe9d0ed0a2df58fada5deda7b728f65f2b20764df430f787d99

  • SSDEEP

    3072:AiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUo4Zj:a5r/g+qZMpcFSQzYHut4dNAj

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ORDER CFC.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2352
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
        "C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:528
        • C:\Users\Admin\AppData\Roaming\erdalpha03977.exe
          "C:\Users\Admin\AppData\Roaming\erdalpha03977.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:1984

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1801A583-5FA4-43A0-9846-ED567702CEF2}.FSD

            Filesize

            128KB

            MD5

            1fcf6ba39d294835197b61f89985cc19

            SHA1

            8bab32a1f09d4cacddf858bc5e935a76db5773e1

            SHA256

            5461b8f01c5d92d7fb36300dfe2e34de89f43f935649b08b168de874a502fcbd

            SHA512

            f305f3c4032d206ff4c7a5a546e03edf1a7659b6462cd5ae71d02f117f943d3c4e34a6e022bbe04e6925229dd11ef7181f4c89bfdbb46e8a4d9f905ad45d18ac

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

            Filesize

            128KB

            MD5

            db1a4477e0b4f604320eca76485dd8a4

            SHA1

            2099758d2ca0ca60b98d473ac8484d9b65cc83fd

            SHA256

            79270048b8d5e61b20a5f55f49aa5662ba98f25fbad25259c01d7bfb7437468e

            SHA512

            ef6d6e14ae50327875c177830616cb1bc4aa83e6fb8ff6dedc1bbbe5ba7d7fc58de9c75f13f845cb44a53e5cf271b6c846e0db51346c9e892bdde46d0054043a

          • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{4FE33FBD-CE63-4C22-998F-B1175D2E54D0}.FSD

            Filesize

            128KB

            MD5

            e2fa37573389e12121abf95dcf30e0dc

            SHA1

            a00dd848288776e6afa8280cbdbf6b26948013b4

            SHA256

            a568bfa45a225fa4c1a706390bbd076ddbbb94fcc5bdb5a7a1d10515ba43ba7b

            SHA512

            ff124271f67ccd683d618dbea70b8895f798a69838bf792bed34f8a13670b4e84771ddc93ca5ea4e400aa4d8eb0aef23152a9de72677bc027c260bb3a0a716fa

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\lOpkseAloegPhxxAcv[1].doc

            Filesize

            820KB

            MD5

            77d04e68c46c843c399d83b858b9b46a

            SHA1

            8f4f41f26cd7bd6b60045cc878c83d132f79193a

            SHA256

            d718eb322dc9348cb1813a920ca739a5c4bd6b44ac32c0c085bd92148bf94161

            SHA512

            22986daa2bd352305885276d9c000caf89c171a6187caadb1d29bbbf1e89916e4a6a199aa6500890befaa9dfc92a14d87976b470b41ec49f5f050b40f9b8b81d

          • C:\Users\Admin\AppData\Local\Temp\{174B072D-4820-4BB7-8F3C-A87E90898366}

            Filesize

            128KB

            MD5

            1efc6f87b9d9905a7473cf88a5fa8b78

            SHA1

            22b3a7bfa6a21edeec1d09d3f612890c9b4c8b6a

            SHA256

            ac45f6eb2f26592f06156611612283910a5112e329f5b927a02545dd6d33e82b

            SHA512

            1485cb5d606d2be5332689dc7958f610b96dde1cb74561e01d2fe15ef8ccb30dbcedb66e9602777ced0a98c3a471a5cec4fa1029baf89cfc0acceea0f15406bf

          • C:\Users\Admin\AppData\Local\Temp\{64F46B03-0918-41C3-B96A-B9048789725F}

            Filesize

            128KB

            MD5

            6e8804585732974ade9bf90548f5bcec

            SHA1

            ccaa7a6d00b2b1c8ae90ec14c7e5cf2b4c74149e

            SHA256

            78e957f012dd9e284cd40e0cdeeb6057b3303500a6ba0ae333e6754b02d7bbcd

            SHA512

            743b8c906371927b0f0a991ed91c098fcbe66c60a7fe139f622e17f95f9b6098dbdc37fab2e80b5ed85e38a5beec2b577364271ab1a8ea991ed3aad93ab36696

          • C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

            Filesize

            19KB

            MD5

            1b78260741a4818a9970e77e2187f33f

            SHA1

            5f6771cdfb33a9860e3032bb8038415c75600711

            SHA256

            99e6b00b7416bb9e83f48f19b9fed2ee1d46a8f3d538eb953cd900809549bf5f

            SHA512

            7ee24529e6b84473c929bf902f0e8cacb54f0c80bc55aa4125827351e8c0b90d7319b16c5351c26ffdec46fa8ebe49e27762f8a910187cba5c30b6c23f7412b4

          • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

            Filesize

            2B

            MD5

            f3b25701fe362ec84616a93a45ce9998

            SHA1

            d62636d8caec13f04e28442a0a6fa1afeb024bbb

            SHA256

            b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

            SHA512

            98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

          • \Users\Admin\AppData\Roaming\erdalpha03977.exe

            Filesize

            720KB

            MD5

            8457be7f4b6910dc68805dacb8009200

            SHA1

            a25c63862fe75623c6e69659ee7ae803ec8659b9

            SHA256

            496ba3f23ddaf5c1514228f1ca90b1de4392a159eaac3ecbd5fbe3fbb28f819f

            SHA512

            6ec632c69a19e1d36371aff5664f3c7c266bfab2fa2b321c3db2bb2e47c42fc9f0c60ebb71b7d3087d54b270368efee0a869888a325aa3d3c8af482f16b482b0

          • memory/1108-97-0x0000000000350000-0x0000000000362000-memory.dmp

            Filesize

            72KB

          • memory/1108-104-0x0000000000360000-0x0000000000370000-memory.dmp

            Filesize

            64KB

          • memory/1108-95-0x0000000001330000-0x00000000013E6000-memory.dmp

            Filesize

            728KB

          • memory/1108-105-0x0000000001280000-0x000000000130C000-memory.dmp

            Filesize

            560KB

          • memory/1984-115-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-112-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-106-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-118-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-117-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-108-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/1984-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

            Filesize

            4KB

          • memory/1984-110-0x0000000000400000-0x000000000044A000-memory.dmp

            Filesize

            296KB

          • memory/2700-2-0x0000000070B4D000-0x0000000070B58000-memory.dmp

            Filesize

            44KB

          • memory/2700-61-0x0000000070B4D000-0x0000000070B58000-memory.dmp

            Filesize

            44KB

          • memory/2700-0-0x000000002F111000-0x000000002F112000-memory.dmp

            Filesize

            4KB

          • memory/2700-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB

          • memory/2700-144-0x0000000070B4D000-0x0000000070B58000-memory.dmp

            Filesize

            44KB

          • memory/2700-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

            Filesize

            64KB