Analysis

  • max time kernel
    135s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 09:16

General

  • Target

    30092463687563.docx

  • Size

    264KB

  • MD5

    da3b3b9590907c35f64e830b2b244ffd

  • SHA1

    8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1

  • SHA256

    97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825

  • SHA512

    98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1

  • SSDEEP

    6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30092463687563.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1700
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1744
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
        "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3032
        • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
          "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2328

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      c1e070698f98cc0bc4f8dfa4656f57a2

      SHA1

      c28a81cae737d65a3324f6ac3c9eab8305803807

      SHA256

      e1963763331974db20c8bb5fbe8d816d11c05b1b5ae240dfcf074a76cf800c35

      SHA512

      bacacafa38e0e22eb90ae27ab13ea80853bba5dcac885c8d45f7cfe84e47e6416b79ce776160585133dd4cd9a853f3d97ba535ac74d1f94bcced9ccd3d8b1ea0

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DEBCEAEA-9D84-4AD0-B26C-1D23173233BB}.FSD

      Filesize

      128KB

      MD5

      5d2d02d3b6ddf63f339e8880078f9bad

      SHA1

      b8a80dfa53245bd61d159ecf2ac3791aa664bc9e

      SHA256

      cb9a8bb65d5ff4f17090107f9b49d7171d2388b001bfc68d7557aa422c39478b

      SHA512

      a64f821501e5a8dc35fa13a64fb57143dedb9f7f9943e9c7fcebd0ee8b0d4cf35804e0ca629e5fa3e230d333d740cf3c5d1ead4011e4517d304a514c5801f98d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\wealthzxcv[1].doc

      Filesize

      565KB

      MD5

      adbffccbb78834fa492cc7ca8a676e52

      SHA1

      1e5b065d13fa03fb556a7ff315b85db96d369908

      SHA256

      42d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63

      SHA512

      de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33

    • C:\Users\Admin\AppData\Local\Temp\{55614E27-D3B2-498B-B250-D9398E3D2219}

      Filesize

      128KB

      MD5

      8aaff3ae386e27aded0950fe6f1b8f39

      SHA1

      d812e682a778d45d10414765852a7567686c6fed

      SHA256

      2eb70f6ddc2d3efff8c71e1db99d528b4013b686ac334a34189afd7dc4be8e41

      SHA512

      2e425537fbeb09f2d481d477907ed305a70f927d798b04c63938d8357a520bffe8879554382938c1126343204addef69ada9104da21de0f45fea213ea52d6371

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      441B

      MD5

      cd71990f4b802cd3b3a5dbb17386cb94

      SHA1

      0b621696d60116d990f7e049669ec2dc8a00b90c

      SHA256

      df46fb901a1032f2ffe0f2647c758ff9589d8604c970ed7397faa8dd2cd49761

      SHA512

      992aa2e665c4549dc51dd417bdc50720df45698b1ac78c39d9ec83df9e13e0ed3d22b77c7b3f733647c0355bb7274b909b27e6964d548e2f766fb019c31085a6

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\wealtken20309.exe

      Filesize

      858KB

      MD5

      d237ebe34f35a9ffe99f5efe0474c1e2

      SHA1

      573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1

      SHA256

      ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137

      SHA512

      9393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05

    • memory/1700-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1700-2-0x000000007144D000-0x0000000071458000-memory.dmp

      Filesize

      44KB

    • memory/1700-103-0x000000007144D000-0x0000000071458000-memory.dmp

      Filesize

      44KB

    • memory/1700-0-0x000000002F161000-0x000000002F162000-memory.dmp

      Filesize

      4KB

    • memory/2116-96-0x0000000000A70000-0x0000000000A8E000-memory.dmp

      Filesize

      120KB

    • memory/2116-94-0x0000000001270000-0x000000000134C000-memory.dmp

      Filesize

      880KB

    • memory/2116-104-0x0000000000920000-0x00000000009AA000-memory.dmp

      Filesize

      552KB

    • memory/2328-116-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-114-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2328-111-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-109-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-107-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-105-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2328-118-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB