Analysis
-
max time kernel
132s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 07:09
Static task
static1
Behavioral task
behavioral1
Sample
KBGC_1200O000000_98756.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
KBGC_1200O000000_98756.docx
Resource
win10v2004-20240802-en
General
-
Target
KBGC_1200O000000_98756.docx
-
Size
264KB
-
MD5
da3b3b9590907c35f64e830b2b244ffd
-
SHA1
8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1
-
SHA256
97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825
-
SHA512
98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1
-
SSDEEP
6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
hosting2.ro.hostsailor.com - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 3024 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
wealtken20309.exewealtken20309.exepid process 972 wealtken20309.exe 2124 wealtken20309.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 3024 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
wealtken20309.exedescription pid process target process PID 972 set thread context of 2124 972 wealtken20309.exe wealtken20309.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEwealtken20309.exewealtken20309.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wealtken20309.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2268 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
wealtken20309.exepowershell.exepid process 2124 wealtken20309.exe 2556 powershell.exe 2124 wealtken20309.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
wealtken20309.exepowershell.exedescription pid process Token: SeDebugPrivilege 2124 wealtken20309.exe Token: SeDebugPrivilege 2556 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 2268 WINWORD.EXE 2268 WINWORD.EXE 2268 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEwealtken20309.exedescription pid process target process PID 3024 wrote to memory of 972 3024 EQNEDT32.EXE wealtken20309.exe PID 3024 wrote to memory of 972 3024 EQNEDT32.EXE wealtken20309.exe PID 3024 wrote to memory of 972 3024 EQNEDT32.EXE wealtken20309.exe PID 3024 wrote to memory of 972 3024 EQNEDT32.EXE wealtken20309.exe PID 2268 wrote to memory of 2668 2268 WINWORD.EXE splwow64.exe PID 2268 wrote to memory of 2668 2268 WINWORD.EXE splwow64.exe PID 2268 wrote to memory of 2668 2268 WINWORD.EXE splwow64.exe PID 2268 wrote to memory of 2668 2268 WINWORD.EXE splwow64.exe PID 972 wrote to memory of 2556 972 wealtken20309.exe powershell.exe PID 972 wrote to memory of 2556 972 wealtken20309.exe powershell.exe PID 972 wrote to memory of 2556 972 wealtken20309.exe powershell.exe PID 972 wrote to memory of 2556 972 wealtken20309.exe powershell.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe PID 972 wrote to memory of 2124 972 wealtken20309.exe wealtken20309.exe -
outlook_office_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe -
outlook_win_path 1 IoCs
Processes:
wealtken20309.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 wealtken20309.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KBGC_1200O000000_98756.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2668
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556 -
C:\Users\Admin\AppData\Roaming\wealtken20309.exe"C:\Users\Admin\AppData\Roaming\wealtken20309.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2124
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{ACEBAEC4-765A-4237-BF1B-963978C098F2}.FSD
Filesize128KB
MD56525ff48244a83bf4b4caf12d062272a
SHA1c28ff4daba8e7c6a2a03c092add29b788435cab2
SHA25685e63fdaef9a9863578d0606d1d20257919356a91c9f7957226533d87579fcb2
SHA5128ac4e911ec575c78d60039c5209bd3df848d9aa26271c246642dff6a30edd0958d3a7ad53c2e337f6173409364cb9392c89483fff679cdd66220638fdd452775
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD57ddb1ecbe2119fe34d556e66113a03ef
SHA1508ae02a1796d7d67c7f3e0bb094245d3524979a
SHA2562c42f15b5b634a9b374b0b944768b2bc53d0243e5d99f15080f3d18014743d56
SHA512d4f6508f0783bb41a1c556915e0338082c17630e49f04a35cbd1dbc8e0969752c75172ce931a3c7278ae434aa16d988e231d70bea0fb0bdec855b15948cf3f62
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5985D274-E8CA-4149-AED2-A4A0F961D17E}.FSD
Filesize128KB
MD5f1dabd1b0c1aa59a585b142abec129c5
SHA1e2bd67f6359d59c9b70e6f9e5bf1861c93f86495
SHA256ab3951c530f7dfbb45896efe50a189610a17f94d495b7bd90e4f03fec5217427
SHA512c53b858a095299f6e665bc99b5e1ca1b672fea19727f97a20a1395b041da372155a03c3005b3feba3babfbb25fb096c73882bb3c022c6f46f6c59d7101069313
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\wealthzxcv[1].doc
Filesize565KB
MD5adbffccbb78834fa492cc7ca8a676e52
SHA11e5b065d13fa03fb556a7ff315b85db96d369908
SHA25642d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63
SHA512de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33
-
Filesize
128KB
MD52d292830ca43ddc1dae746b5b1b3f449
SHA19d66599e5cdc2b06a96530612fb5cffd192ea0ac
SHA2565248e86bb707bbad937d704882ea503d31eec59e3255bcfd6e82fd3fe3be35bd
SHA512d4fea9c51e1eedb92edc3214971818e9d964ea26600cf75c7597f007784172c5a646e1ce8b11cbf4ce77da952e52a08e18fa2364a67904c074256e33c2f9ae69
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
858KB
MD5d237ebe34f35a9ffe99f5efe0474c1e2
SHA1573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1
SHA256ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137
SHA5129393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05