Analysis
-
max time kernel
121s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/08/2024, 07:05
Static task
static1
Behavioral task
behavioral1
Sample
ioqjWeKazzLuiTHfd.rtf
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ioqjWeKazzLuiTHfd.rtf
Resource
win10v2004-20240802-en
General
-
Target
ioqjWeKazzLuiTHfd.rtf
-
Size
636KB
-
MD5
16ddde7b45c040f9fb63e73863134f5c
-
SHA1
ca18b30011b59e341eae8006d05d543e7314ce0c
-
SHA256
05ad66d563f492c9b527602ff6c7bd9b8fa0ed8f288d0481f51ebe6b71b05242
-
SHA512
4b6dd4b9fc79ed9639f95eeff4756e3915591fca8265c70c361709f0aa46aec542143d1966cbf746bfc4eb8efd09ccebab9ff5290719025ade090fb8b8fd2c3b
-
SSDEEP
6144:cwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAYwAr:P6
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
novaoil.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 1 IoCs
flow pid Process 4 584 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2168 powershell.exe -
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
pid Process 2876 hgsnwealth82664.exe 944 hgsnwealth82664.exe -
Loads dropped DLL 1 IoCs
pid Process 584 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 5 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2876 set thread context of 944 2876 hgsnwealth82664.exe 38 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgsnwealth82664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hgsnwealth82664.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 584 EQNEDT32.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1976 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 944 hgsnwealth82664.exe 2168 powershell.exe 944 hgsnwealth82664.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 944 hgsnwealth82664.exe Token: SeDebugPrivilege 2168 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1976 WINWORD.EXE 1976 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 584 wrote to memory of 2876 584 EQNEDT32.EXE 33 PID 584 wrote to memory of 2876 584 EQNEDT32.EXE 33 PID 584 wrote to memory of 2876 584 EQNEDT32.EXE 33 PID 584 wrote to memory of 2876 584 EQNEDT32.EXE 33 PID 1976 wrote to memory of 2624 1976 WINWORD.EXE 35 PID 1976 wrote to memory of 2624 1976 WINWORD.EXE 35 PID 1976 wrote to memory of 2624 1976 WINWORD.EXE 35 PID 1976 wrote to memory of 2624 1976 WINWORD.EXE 35 PID 2876 wrote to memory of 2168 2876 hgsnwealth82664.exe 36 PID 2876 wrote to memory of 2168 2876 hgsnwealth82664.exe 36 PID 2876 wrote to memory of 2168 2876 hgsnwealth82664.exe 36 PID 2876 wrote to memory of 2168 2876 hgsnwealth82664.exe 36 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 PID 2876 wrote to memory of 944 2876 hgsnwealth82664.exe 38 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 hgsnwealth82664.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\ioqjWeKazzLuiTHfd.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2624
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168
-
-
C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:944
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
19KB
MD53790713edce531d6d8f374f07159601f
SHA17e925c68c0fc273b8e1e03de281f9c438c822e51
SHA25632cb6517f489f9184a5dba9ef49efeef6cd9a7b8b59b818550ebc65dc55165bd
SHA51221a24fab7c610e7e172c3b0b850cd96377ed75d08d003151581ed10f0aad432e7376dff9bb47270ea903fbb47ce69818151f8e14149d13bc85b7965059b4b664
-
Filesize
714KB
MD506ef63fcb30cb75b38e13a0a12764097
SHA1fbf8ee77153177587ef1e81e36cb4adad054d208
SHA25623b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2
SHA512833722edea13277437343fd24cdfdd2b99a5c8d909a68421ee65bb0e0bbefa41aef183340cce4991d55c21d505e6bfc7e6bb429ccbb10bcdf619669e800b42d2