Analysis

  • max time kernel
    128s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-10-2024 14:41

General

  • Target

    RICHIESTA_OFFERTA_RDO2400423.docx

  • Size

    264KB

  • MD5

    5efaab9d9accf59510dafa162e958340

  • SHA1

    4d2d9082c9e29d7f218feea392e3bb59a0b5719a

  • SHA256

    b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

  • SHA512

    b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99

  • SSDEEP

    6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1080
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
        "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
          "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:676

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\tmtzxc[1].doc

      Filesize

      590KB

      MD5

      08d1a4e26971fd55013dbc7d2744b2a5

      SHA1

      dd813694fc67b536f242ae7dd3deff14458b82ba

      SHA256

      fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

      SHA512

      3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

    • C:\Users\Admin\AppData\Local\Temp\{E38CD4C1-1FC8-4D55-8F24-6C0BF4E09291}

      Filesize

      128KB

      MD5

      9ce1b525516f7b5f349c60069d3f9dfe

      SHA1

      0a3517babb843cf52aa892ff0abdf88ad19beae4

      SHA256

      cbb9241131d3bf56833bb864b860cbad141e29d4724514806e62ff084f00c3d6

      SHA512

      6e02a794f2b62ea97b1c94e2dd1867d1efc22a7560a924d342b36cca707452faf7d577f544b50cb57f2dd5886db10872bf60b2b56c772a5ff404f42cdf258ec3

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      406B

      MD5

      fe348c98f6ebe5d0fb590b75d45369bb

      SHA1

      68705028050ade177c0fc232d093e82ba4c2e610

      SHA256

      3373ba71f77e24bc83b58f28370221be19787a7115920420d2b4c6f5062a9d68

      SHA512

      2756fea01300dfe1c88ce52c456a47d374bc571e44bdd27925ef09faef9c6bde7c1f010c9df0306514924e46bdf23d7862375d22d932b74fa16ef4da6f7a8c6c

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe

      Filesize

      669KB

      MD5

      f7e702effaaad33faa0cbc4f87da2d07

      SHA1

      b8be783f38b987f8c88f7de258d69a648033be72

      SHA256

      a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678

      SHA512

      43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

    • \Users\Admin\AppData\Local\Temp\nse4C01.tmp\System.dll

      Filesize

      11KB

      MD5

      9625d5b1754bc4ff29281d415d27a0fd

      SHA1

      80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

      SHA256

      c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

      SHA512

      dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    • memory/676-115-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/676-138-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/676-139-0x0000000000480000-0x00000000004C8000-memory.dmp

      Filesize

      288KB

    • memory/2172-61-0x00000000715BD000-0x00000000715C8000-memory.dmp

      Filesize

      44KB

    • memory/2172-2-0x00000000715BD000-0x00000000715C8000-memory.dmp

      Filesize

      44KB

    • memory/2172-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2172-0-0x000000002F811000-0x000000002F812000-memory.dmp

      Filesize

      4KB