Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:03
Static task
static1
Behavioral task
behavioral1
Sample
qoute.docx
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
qoute.docx
Resource
win10v2004-20240802-en
General
-
Target
qoute.docx
-
Size
179KB
-
MD5
a07bcec379d6c10b5c39caedc56a290a
-
SHA1
953f655df1677263180e8c564755b0051e20574b
-
SHA256
0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2
-
SHA512
b0fb67341428e3fc30f8902e122ab6133de05b9078332f2ff93a862ed9f4ebf7ab39641c74411f8b4f11a66fc4dc97d83112860876558f3f128beb9efde1530f
-
SSDEEP
3072:OiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XU4U56:05r/g+qZMpcFSQzYHut4dFE6
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
novaoil.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 7 2660 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2908 powershell.exe -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
pid Process 3068 hgsnwealth82664.exe 2700 hgsnwealth82664.exe -
Loads dropped DLL 1 IoCs
pid Process 2660 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3068 set thread context of 2700 3068 hgsnwealth82664.exe 37 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgsnwealth82664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgsnwealth82664.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2660 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2120 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2700 hgsnwealth82664.exe 2908 powershell.exe 2700 hgsnwealth82664.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2700 hgsnwealth82664.exe Token: SeDebugPrivilege 2908 powershell.exe Token: SeShutdownPrivilege 2120 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2120 WINWORD.EXE 2120 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2660 wrote to memory of 3068 2660 EQNEDT32.EXE 32 PID 2660 wrote to memory of 3068 2660 EQNEDT32.EXE 32 PID 2660 wrote to memory of 3068 2660 EQNEDT32.EXE 32 PID 2660 wrote to memory of 3068 2660 EQNEDT32.EXE 32 PID 2120 wrote to memory of 1476 2120 WINWORD.EXE 35 PID 2120 wrote to memory of 1476 2120 WINWORD.EXE 35 PID 2120 wrote to memory of 1476 2120 WINWORD.EXE 35 PID 2120 wrote to memory of 1476 2120 WINWORD.EXE 35 PID 3068 wrote to memory of 2908 3068 hgsnwealth82664.exe 36 PID 3068 wrote to memory of 2908 3068 hgsnwealth82664.exe 36 PID 3068 wrote to memory of 2908 3068 hgsnwealth82664.exe 36 PID 3068 wrote to memory of 2908 3068 hgsnwealth82664.exe 36 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 PID 3068 wrote to memory of 2700 3068 hgsnwealth82664.exe 37 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\qoute.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1476
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
-
C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2700
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{31AA283F-DCA1-4D57-B1E1-8405167C2D04}.FSD
Filesize128KB
MD58de897090a012ddd58bbf68f3c53ca43
SHA12450cd9edc40d73502dc87d34691958b9adf798e
SHA2569ef45dc7cbbff1cc7e6ead6653dcc3729759ab85752155bbfd06e3fc98a8f531
SHA512d925803c135efeb2980f189ce7d33607445033e47224db74d32a50749697eb7463113cee810e9c835e9eca70a7720f99272f0dea38c387a5482e509358573530
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5ff337769a46bef53eaac5c229102ba78
SHA1f4a21ef21e2e913947523977f34f442e6d3af7dc
SHA256b6a32b4f3fcfae403568532326f6a5d810139b1e4e36af290ec888fd03be9926
SHA512bf8cce105dfa6c0ceb36e058ff3e3c35555bf04217260b8d2b22fde0e5d005e7da2468e753b87a6e9efdc1c3e215d26747f4138224314b873a7d1017338c93d7
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7D31351A-06EB-469C-A1FC-ACE4C8DE71D7}.FSD
Filesize128KB
MD5ef96eb74f78fe0c5e90d2ddcdedd63d9
SHA17b4c44efba70d581b7e6eb771fa171de8ffed5d4
SHA256bf5de6f9f3455fadb7b327a7646ebc1105e2e582e020feb5d0cdf06ed7a77022
SHA512624a534ee67e73f221de406f26508ca00c95c3150279c2c6ca43e3668bef713b198f2f496a2de2078b783bfe579191f80da87ea1ddc635183a7b3033884c14f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WNZH54VQ\ioqjWeKazzLuiTHfd[1].doc
Filesize636KB
MD516ddde7b45c040f9fb63e73863134f5c
SHA1ca18b30011b59e341eae8006d05d543e7314ce0c
SHA25605ad66d563f492c9b527602ff6c7bd9b8fa0ed8f288d0481f51ebe6b71b05242
SHA5124b6dd4b9fc79ed9639f95eeff4756e3915591fca8265c70c361709f0aa46aec542143d1966cbf746bfc4eb8efd09ccebab9ff5290719025ade090fb8b8fd2c3b
-
Filesize
128KB
MD56817c35597ce7e0fe21e063774007d46
SHA106943e4b806c415323d88f05cbaf4118a75d130d
SHA2561ae0dea82c5bf51251226b81c300c4b5513e9da185799a30aff0c0fa156149e0
SHA5128d66c0b46bd5e012d891fd381e549f4a9b3b837adc305f392669aa18aae5e5e107af03acddbc649eb70aeabbb5d2f071726351f17f774fc5bbec121f0b049d6b
-
Filesize
19KB
MD5e78e5f1a5efafcec6e2cdfa6e0ac32a4
SHA1e2b0d742dbe54699055b4a5265f34b92a8c685bd
SHA2564114ba504ef39436f9a1ed81b757911ee206b0bba1f1fb7f40b928120d9d7ec5
SHA512e39eed4d217e917def475edf063153a7d7f47a76e16bdb20fb7a470369e0d78161914cdbb5f19ae9b05e317740e4b4fc0620ebb4cf75ea21ecfe6329c353ec7c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
714KB
MD506ef63fcb30cb75b38e13a0a12764097
SHA1fbf8ee77153177587ef1e81e36cb4adad054d208
SHA25623b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2
SHA512833722edea13277437343fd24cdfdd2b99a5c8d909a68421ee65bb0e0bbefa41aef183340cce4991d55c21d505e6bfc7e6bb429ccbb10bcdf619669e800b42d2