vipkeylogger | 0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2

Analysis

max time kernel
119s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2.docx
Size

179KB
MD5

a07bcec379d6c10b5c39caedc56a290a
SHA1

953f655df1677263180e8c564755b0051e20574b
SHA256

0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2
SHA512

b0fb67341428e3fc30f8902e122ab6133de05b9078332f2ff93a862ed9f4ebf7ab39641c74411f8b4f11a66fc4dc97d83112860876558f3f128beb9efde1530f
SSDEEP

3072:OiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XU4U56:05r/g+qZMpcFSQzYHut4dFE6

Score

10^/10

vipkeylogger collection credential_access discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
novaoil.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2120	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1652	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
936	hgsnwealth82664.exe
1812	hgsnwealth82664.exe

Loads dropped DLL 1 IoCs

pid	Process
2120	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hgsnwealth82664.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hgsnwealth82664.exe
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hgsnwealth82664.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 1812	936	hgsnwealth82664.exe	38

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hgsnwealth82664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hgsnwealth82664.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
2120	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1928	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1812	hgsnwealth82664.exe
1652	powershell.exe
1812	hgsnwealth82664.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1812	hgsnwealth82664.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeShutdownPrivilege	1928	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1928	WINWORD.EXE
1928	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 936	2120	EQNEDT32.EXE	33
PID 2120 wrote to memory of 936	2120	EQNEDT32.EXE	33
PID 2120 wrote to memory of 936	2120	EQNEDT32.EXE	33
PID 2120 wrote to memory of 936	2120	EQNEDT32.EXE	33
PID 1928 wrote to memory of 3016	1928	WINWORD.EXE	35
PID 1928 wrote to memory of 3016	1928	WINWORD.EXE	35
PID 1928 wrote to memory of 3016	1928	WINWORD.EXE	35
PID 1928 wrote to memory of 3016	1928	WINWORD.EXE	35
PID 936 wrote to memory of 1652	936	hgsnwealth82664.exe	36
PID 936 wrote to memory of 1652	936	hgsnwealth82664.exe	36
PID 936 wrote to memory of 1652	936	hgsnwealth82664.exe	36
PID 936 wrote to memory of 1652	936	hgsnwealth82664.exe	36
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38
PID 936 wrote to memory of 1812	936	hgsnwealth82664.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hgsnwealth82664.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	hgsnwealth82664.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\0716b488e853e64c11829ceadc87e805cd1513bcec26a8c261520a36aff87da2.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3016

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
  "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1652
- - C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe
    "C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{D345ECF5-6486-4AE9-927E-8708561749E0}.FSD

Filesize
128KB

MD5
f046867c19bdcd040c363976097ab7dd

SHA1
a01d255dc57fe712fd2270cf6b43c2ea7441880d

SHA256
e9bb9f74db9e5acd89be88326602927cfe4af81f9f7ac727e4354f7abe4459d2

SHA512
f951744a9be062b41a60faa1043856862a99379ceb3418447fcdccc9c8e44cbe68aed1c3d22f8bdbba728c492de44d03b8bb62ccece303011941e035d7e9ff83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
88161418b560353688e634e7f3379607

SHA1
731dfc5985aacda8de067cde09028d7f899baf2b

SHA256
17e15719624718b7ab989184ce22bd8dc0ddfb5f44304691f511706cd410fdb8

SHA512
e52229fdfa8dc0baee8a37826f54c1980506f00590551f844b05454c5264a5bc7e465cd31c945720f2b28da59d5a5187033f11fc3eb8c259280dfbb20e0cc011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FE47133B-96E4-4A94-AADE-5CD526129D83}.FSD

Filesize
128KB

MD5
7ba409a9b75eba95119bea5e66fcc075

SHA1
f84d95940dae0f85db443e4e2ce62ef9e30a5ef1

SHA256
9c3a490a8a7c451a4c7836014f13ee88fd51eabfd87ba2dbd4d14d4a62309563

SHA512
24dbd613355b02e7dcd2616e2f8979c0188174d42bff210c320035bb20d2f8b6e6bea6dc9bd766d5f33dd43f7b1d177b690163cae8f7faff6470771c7ae7839c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\ioqjWeKazzLuiTHfd[1].doc

Filesize
636KB

MD5
16ddde7b45c040f9fb63e73863134f5c

SHA1
ca18b30011b59e341eae8006d05d543e7314ce0c

SHA256
05ad66d563f492c9b527602ff6c7bd9b8fa0ed8f288d0481f51ebe6b71b05242

SHA512
4b6dd4b9fc79ed9639f95eeff4756e3915591fca8265c70c361709f0aa46aec542143d1966cbf746bfc4eb8efd09ccebab9ff5290719025ade090fb8b8fd2c3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F533D6A7-7801-48F2-8502-E3721DD6C76E}

Filesize
128KB

MD5
aa0e0406732aa8ca187dbb407541eb0f

SHA1
f9d02b9359843720e988fa1c43b0715a45a8495b

SHA256
575e1d2a92d4f2e849442a1ad620a82251e2294f3b268cd4acf811f94c10f278

SHA512
a8ca8b20fe5b92858caa3efd7c01be0abd81e7e2d62f202cde54aa05548216ca6777524a0c3e560eff23125509ac69ae8377f6508b033735658336cf226f928c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
367B

MD5
33b643005aaf1ccf71fcd32f14e8f17a

SHA1
6f953fc5b1b6dda81020fafe4c7c201b04622bce

SHA256
2fb9a83b7f927f8a903b2e14dfb21c36e3d40333dd96876560778f8484ac2480

SHA512
5a2b265060f0507952fc44bbe16e6139bdf0a6378cd8fc2cf3e612f230509b7d6c7bafdaf5b3eca9edb93b881ff71d99cb633d4365e0a9be6fc1c9b48f1e0292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm

Filesize
19KB

MD5
fc9fdce7cdd8ee5097971a122f880500

SHA1
043e239256bc8984cf71f13d7cb20f310138e95a

SHA256
fabb49cfb83e4318304d67438ae8abb2a780cfbfc3e8948846e51ae74413f83b

SHA512
70b5e12e080985b208dc88b31f0ea37903a406b2c4fce9fa1d7c5ff27654ae1ebec32debd8a79d6417f052ad58bb7ed332dba7bb97dd14d48eef334902da0397

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\hgsnwealth82664.exe

Filesize
714KB

MD5
06ef63fcb30cb75b38e13a0a12764097

SHA1
fbf8ee77153177587ef1e81e36cb4adad054d208

SHA256
23b9b4a46c15c5fa3b7445e8041852f3dc831547903250209ca738b1a17fb7c2

SHA512
833722edea13277437343fd24cdfdd2b99a5c8d909a68421ee65bb0e0bbefa41aef183340cce4991d55c21d505e6bfc7e6bb429ccbb10bcdf619669e800b42d2

Download Submit
memory/936-101-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/936-112-0x00000000004D0000-0x00000000004E0000-memory.dmp

Filesize
64KB

Download
memory/936-95-0x0000000000120000-0x00000000001D6000-memory.dmp

Filesize
728KB

Download
memory/936-113-0x0000000004800000-0x000000000488A000-memory.dmp

Filesize
552KB

Download
memory/1812-126-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-122-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1812-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-123-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1812-120-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1928-2-0x00000000719AD000-0x00000000719B8000-memory.dmp

Filesize
44KB

Download
memory/1928-70-0x00000000719AD000-0x00000000719B8000-memory.dmp

Filesize
44KB

Download
memory/1928-0-0x000000002FE11000-0x000000002FE12000-memory.dmp

Filesize
4KB

Download
memory/1928-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1928-151-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1928-152-0x00000000719AD000-0x00000000719B8000-memory.dmp

Filesize
44KB

Download