Analysis
-
max time kernel
128s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01-10-2024 14:41
Static task
static1
Behavioral task
behavioral1
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win10v2004-20240802-en
General
-
Target
RICHIESTA_OFFERTA_RDO2400423.docx
-
Size
264KB
-
MD5
5efaab9d9accf59510dafa162e958340
-
SHA1
4d2d9082c9e29d7f218feea392e3bb59a0b5719a
-
SHA256
b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
-
SHA512
b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99
-
SSDEEP
6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cybertechllc.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2580 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
Processes:
tmtcy20306.exepid process 2128 tmtcy20306.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exepid process 2580 EQNEDT32.EXE 2128 tmtcy20306.exe 676 tmtcy20306.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
tmtcy20306.exepid process 676 tmtcy20306.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
tmtcy20306.exetmtcy20306.exepid process 2128 tmtcy20306.exe 676 tmtcy20306.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmtcy20306.exedescription pid process target process PID 2128 set thread context of 676 2128 tmtcy20306.exe tmtcy20306.exe -
Drops file in Windows directory 2 IoCs
Processes:
WINWORD.EXEtmtcy20306.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\resources\0409\reproductivity.ini tmtcy20306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2172 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmtcy20306.exepid process 676 tmtcy20306.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tmtcy20306.exepid process 2128 tmtcy20306.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmtcy20306.exedescription pid process Token: SeDebugPrivilege 676 tmtcy20306.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2172 WINWORD.EXE 2172 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEtmtcy20306.exedescription pid process target process PID 2580 wrote to memory of 2128 2580 EQNEDT32.EXE tmtcy20306.exe PID 2580 wrote to memory of 2128 2580 EQNEDT32.EXE tmtcy20306.exe PID 2580 wrote to memory of 2128 2580 EQNEDT32.EXE tmtcy20306.exe PID 2580 wrote to memory of 2128 2580 EQNEDT32.EXE tmtcy20306.exe PID 2172 wrote to memory of 1080 2172 WINWORD.EXE splwow64.exe PID 2172 wrote to memory of 1080 2172 WINWORD.EXE splwow64.exe PID 2172 wrote to memory of 1080 2172 WINWORD.EXE splwow64.exe PID 2172 wrote to memory of 1080 2172 WINWORD.EXE splwow64.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe PID 2128 wrote to memory of 676 2128 tmtcy20306.exe tmtcy20306.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1080
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q0WBLVJY\tmtzxc[1].doc
Filesize590KB
MD508d1a4e26971fd55013dbc7d2744b2a5
SHA1dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA5123c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6
-
Filesize
128KB
MD59ce1b525516f7b5f349c60069d3f9dfe
SHA10a3517babb843cf52aa892ff0abdf88ad19beae4
SHA256cbb9241131d3bf56833bb864b860cbad141e29d4724514806e62ff084f00c3d6
SHA5126e02a794f2b62ea97b1c94e2dd1867d1efc22a7560a924d342b36cca707452faf7d577f544b50cb57f2dd5886db10872bf60b2b56c772a5ff404f42cdf258ec3
-
Filesize
406B
MD5fe348c98f6ebe5d0fb590b75d45369bb
SHA168705028050ade177c0fc232d093e82ba4c2e610
SHA2563373ba71f77e24bc83b58f28370221be19787a7115920420d2b4c6f5062a9d68
SHA5122756fea01300dfe1c88ce52c456a47d374bc571e44bdd27925ef09faef9c6bde7c1f010c9df0306514924e46bdf23d7862375d22d932b74fa16ef4da6f7a8c6c
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
669KB
MD5f7e702effaaad33faa0cbc4f87da2d07
SHA1b8be783f38b987f8c88f7de258d69a648033be72
SHA256a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA51243e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b