Malware Analysis Report

2024-11-15 07:56

Sample ID 241001-r27hjavcjp
Target tmtzxc.doc
SHA256 fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
Tags
vipkeylogger discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

Threat Level: Known bad

The file tmtzxc.doc was found to be: Known bad.

Malicious Activity Summary

vipkeylogger discovery keylogger stealer

VIPKeylogger

Downloads MZ/PE file

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Launches Equation Editor

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-01 14:42

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-01 14:42

Reported

2024-10-01 14:45

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf" /o ""

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf" /o ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.32.109.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 129.68.109.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 metadata.templates.cdn.office.net udp
GB 2.18.63.57:443 metadata.templates.cdn.office.net tcp
US 8.8.8.8:53 binaries.templates.cdn.office.net udp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
GB 2.19.117.74:443 binaries.templates.cdn.office.net tcp
US 8.8.8.8:53 57.63.18.2.in-addr.arpa udp
US 8.8.8.8:53 74.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/4376-1-0x00007FFBC4F6D000-0x00007FFBC4F6E000-memory.dmp

memory/4376-0-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

memory/4376-5-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

memory/4376-4-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

memory/4376-3-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

memory/4376-2-0x00007FFB84F50000-0x00007FFB84F60000-memory.dmp

memory/4376-8-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-10-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-11-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-9-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-7-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-12-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp

memory/4376-6-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-17-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-20-0x00007FFB82890000-0x00007FFB828A0000-memory.dmp

memory/4376-19-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-18-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-16-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-15-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-14-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-13-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-34-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-35-0x00007FFBC4F6D000-0x00007FFBC4F6E000-memory.dmp

memory/4376-36-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

memory/4376-37-0x00007FFBC4ED0000-0x00007FFBC50C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TCDC71E.tmp\sist02.xsl

MD5 f883b260a8d67082ea895c14bf56dd56
SHA1 7954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256 ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512 d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-01 14:42

Reported

2024-10-01 14:45

Platform

win7-20240903-en

Max time kernel

90s

Max time network

95s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2116 set thread context of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\WIA\wiatrace.log C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
File opened for modification C:\Windows\resources\0409\reproductivity.ini C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor

exploit
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2760 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2760 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2760 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2760 wrote to memory of 2116 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2104 wrote to memory of 1228 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2104 wrote to memory of 1228 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2104 wrote to memory of 1228 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2104 wrote to memory of 1228 N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE C:\Windows\splwow64.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
PID 2116 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\tmtcy20306.exe C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

Processes

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\tmtzxc.rtf"

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"

Network

Country Destination Domain Proto
US 154.216.20.22:80 154.216.20.22 tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.46:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 172.217.169.67:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp

Files

memory/2104-0-0x000000002F331000-0x000000002F332000-memory.dmp

memory/2104-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2104-2-0x0000000070BED000-0x0000000070BF8000-memory.dmp

\Users\Admin\AppData\Roaming\tmtcy20306.exe

MD5 f7e702effaaad33faa0cbc4f87da2d07
SHA1 b8be783f38b987f8c88f7de258d69a648033be72
SHA256 a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA512 43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

\Users\Admin\AppData\Local\Temp\nsu22EF.tmp\System.dll

MD5 9625d5b1754bc4ff29281d415d27a0fd
SHA1 80e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256 c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512 dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

memory/2104-26-0x0000000070BED000-0x0000000070BF8000-memory.dmp

memory/2092-28-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2092-51-0x0000000000480000-0x00000000014E2000-memory.dmp

memory/2092-52-0x0000000000480000-0x00000000004C8000-memory.dmp