Analysis
-
max time kernel
90s -
max time network
95s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 14:42
Static task
static1
Behavioral task
behavioral1
Sample
tmtzxc.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
tmtzxc.rtf
Resource
win10v2004-20240802-en
General
-
Target
tmtzxc.rtf
-
Size
590KB
-
MD5
08d1a4e26971fd55013dbc7d2744b2a5
-
SHA1
dd813694fc67b536f242ae7dd3deff14458b82ba
-
SHA256
fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
-
SHA512
3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6
-
SSDEEP
3072:nsa7eTzUetoCmiSHnm3WscLmvSVs+aN0X4rP55:nsYeXSG3WscLmvSa+aNyG55
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cybertechllc.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 2760 EQNEDT32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
tmtcy20306.exepid process 2116 tmtcy20306.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exepid process 2760 EQNEDT32.EXE 2116 tmtcy20306.exe 2092 tmtcy20306.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
tmtcy20306.exepid process 2092 tmtcy20306.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
tmtcy20306.exetmtcy20306.exepid process 2116 tmtcy20306.exe 2092 tmtcy20306.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmtcy20306.exedescription pid process target process PID 2116 set thread context of 2092 2116 tmtcy20306.exe tmtcy20306.exe -
Drops file in Windows directory 2 IoCs
Processes:
WINWORD.EXEtmtcy20306.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\resources\0409\reproductivity.ini tmtcy20306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEtmtcy20306.exetmtcy20306.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2104 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmtcy20306.exepid process 2092 tmtcy20306.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tmtcy20306.exepid process 2116 tmtcy20306.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmtcy20306.exedescription pid process Token: SeDebugPrivilege 2092 tmtcy20306.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2104 WINWORD.EXE 2104 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEtmtcy20306.exedescription pid process target process PID 2760 wrote to memory of 2116 2760 EQNEDT32.EXE tmtcy20306.exe PID 2760 wrote to memory of 2116 2760 EQNEDT32.EXE tmtcy20306.exe PID 2760 wrote to memory of 2116 2760 EQNEDT32.EXE tmtcy20306.exe PID 2760 wrote to memory of 2116 2760 EQNEDT32.EXE tmtcy20306.exe PID 2104 wrote to memory of 1228 2104 WINWORD.EXE splwow64.exe PID 2104 wrote to memory of 1228 2104 WINWORD.EXE splwow64.exe PID 2104 wrote to memory of 1228 2104 WINWORD.EXE splwow64.exe PID 2104 wrote to memory of 1228 2104 WINWORD.EXE splwow64.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe PID 2116 wrote to memory of 2092 2116 tmtcy20306.exe tmtcy20306.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1228
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2092
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
669KB
MD5f7e702effaaad33faa0cbc4f87da2d07
SHA1b8be783f38b987f8c88f7de258d69a648033be72
SHA256a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA51243e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9