Analysis
-
max time kernel
135s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 09:16
Static task
static1
Behavioral task
behavioral1
Sample
30092463687563.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
30092463687563.docx
Resource
win10v2004-20240802-en
General
-
Target
30092463687563.docx
-
Size
264KB
-
MD5
da3b3b9590907c35f64e830b2b244ffd
-
SHA1
8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1
-
SHA256
97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825
-
SHA512
98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1
-
SSDEEP
6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1564 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
wealtken20309.exewealtken20309.exepid process 2116 wealtken20309.exe 2328 wealtken20309.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 1564 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealtken20309.exedescription pid process target process PID 2116 set thread context of 2328 2116 wealtken20309.exe wealtken20309.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEwealtken20309.exewealtken20309.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1700 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
wealtken20309.exepowershell.exepid process 2328 wealtken20309.exe 3032 powershell.exe 2328 wealtken20309.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealtken20309.exepowershell.exedescription pid process Token: SeDebugPrivilege 2328 wealtken20309.exe Token: SeDebugPrivilege 3032 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1700 WINWORD.EXE 1700 WINWORD.EXE 1700 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwealtken20309.exedescription pid process target process PID 1564 wrote to memory of 2116 1564 EQNEDT32.EXE wealtken20309.exe PID 1564 wrote to memory of 2116 1564 EQNEDT32.EXE wealtken20309.exe PID 1564 wrote to memory of 2116 1564 EQNEDT32.EXE wealtken20309.exe PID 1564 wrote to memory of 2116 1564 EQNEDT32.EXE wealtken20309.exe PID 1700 wrote to memory of 1744 1700 WINWORD.EXE splwow64.exe PID 1700 wrote to memory of 1744 1700 WINWORD.EXE splwow64.exe PID 1700 wrote to memory of 1744 1700 WINWORD.EXE splwow64.exe PID 1700 wrote to memory of 1744 1700 WINWORD.EXE splwow64.exe PID 2116 wrote to memory of 3032 2116 wealtken20309.exe powershell.exe PID 2116 wrote to memory of 3032 2116 wealtken20309.exe powershell.exe PID 2116 wrote to memory of 3032 2116 wealtken20309.exe powershell.exe PID 2116 wrote to memory of 3032 2116 wealtken20309.exe powershell.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe PID 2116 wrote to memory of 2328 2116 wealtken20309.exe wealtken20309.exe -
outlook_office_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
outlook_win_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30092463687563.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1744
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2328
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5c1e070698f98cc0bc4f8dfa4656f57a2
SHA1c28a81cae737d65a3324f6ac3c9eab8305803807
SHA256e1963763331974db20c8bb5fbe8d816d11c05b1b5ae240dfcf074a76cf800c35
SHA512bacacafa38e0e22eb90ae27ab13ea80853bba5dcac885c8d45f7cfe84e47e6416b79ce776160585133dd4cd9a853f3d97ba535ac74d1f94bcced9ccd3d8b1ea0
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{DEBCEAEA-9D84-4AD0-B26C-1D23173233BB}.FSD
Filesize128KB
MD55d2d02d3b6ddf63f339e8880078f9bad
SHA1b8a80dfa53245bd61d159ecf2ac3791aa664bc9e
SHA256cb9a8bb65d5ff4f17090107f9b49d7171d2388b001bfc68d7557aa422c39478b
SHA512a64f821501e5a8dc35fa13a64fb57143dedb9f7f9943e9c7fcebd0ee8b0d4cf35804e0ca629e5fa3e230d333d740cf3c5d1ead4011e4517d304a514c5801f98d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UQFHO95Z\wealthzxcv[1].doc
Filesize565KB
MD5adbffccbb78834fa492cc7ca8a676e52
SHA11e5b065d13fa03fb556a7ff315b85db96d369908
SHA25642d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63
SHA512de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33
-
Filesize
128KB
MD58aaff3ae386e27aded0950fe6f1b8f39
SHA1d812e682a778d45d10414765852a7567686c6fed
SHA2562eb70f6ddc2d3efff8c71e1db99d528b4013b686ac334a34189afd7dc4be8e41
SHA5122e425537fbeb09f2d481d477907ed305a70f927d798b04c63938d8357a520bffe8879554382938c1126343204addef69ada9104da21de0f45fea213ea52d6371
-
Filesize
441B
MD5cd71990f4b802cd3b3a5dbb17386cb94
SHA10b621696d60116d990f7e049669ec2dc8a00b90c
SHA256df46fb901a1032f2ffe0f2647c758ff9589d8604c970ed7397faa8dd2cd49761
SHA512992aa2e665c4549dc51dd417bdc50720df45698b1ac78c39d9ec83df9e13e0ed3d22b77c7b3f733647c0355bb7274b909b27e6964d548e2f766fb019c31085a6
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
858KB
MD5d237ebe34f35a9ffe99f5efe0474c1e2
SHA1573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1
SHA256ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137
SHA5129393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05