Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 12:42

General

  • Target

    RICHIESTA_OFFERTA_RDO2400423.docx

  • Size

    264KB

  • MD5

    5efaab9d9accf59510dafa162e958340

  • SHA1

    4d2d9082c9e29d7f218feea392e3bb59a0b5719a

  • SHA256

    b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

  • SHA512

    b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99

  • SSDEEP

    6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2220
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
        "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2244
        • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
          "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      b8130507bb1d21ea0812e4482f283282

      SHA1

      ace6af046713cc56dfe43f626895f4d521570223

      SHA256

      71e559d7323878c874dc0b5fd1aaeaa519be15e016f8ba9b2aece54aa954b741

      SHA512

      3b58e8178c3becb664ad895f9a4fcf1bd4889a168c2c430022a2c7cff2d688d92afbbe6f66774f03f55e2b7068e73448e8cf44b50460cc8f303fa6bc1847908f

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{82BC30BC-A30C-424B-8293-BD79A8A205FF}.FSD

      Filesize

      128KB

      MD5

      dfef4fbafd60d05996c6adc20ce824c1

      SHA1

      3807895dbbe0f6ca4549cda8dd7ae88ec0f2d54d

      SHA256

      6466e00323df8b2e756d6591915f642e01c0c8ddf38d20e4e4faabc6cca58090

      SHA512

      baf5b81097837b069f4386b5fb53f03dad9963a8bd782005818d0c3ffa8622c2889e41a45a93a6d7464c8604769e81a60a62b93f6e4e4a6f84455b2ceff0f074

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      b91c04645dafc928bbff479b60c519d1

      SHA1

      c6e5098f8e08308201805fa139273279ff167765

      SHA256

      c86a3e7bab7ca39aa4d936b186a281ebe13c68f828b0c46c1e8ad4b4cf94abce

      SHA512

      7a68491ea6c27bd52baef532fd0a0e6ea669b16537457fbe431bd622369bed7c6d471ddd7d69464d8a297ec152f7c29d32e3debc2ec0d662a5961a8fa8bd440e

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7FBA0768-3630-4732-9275-29EA2DB2D6B3}.FSD

      Filesize

      128KB

      MD5

      b884b8622f4aaf7a33dcf039bc14108c

      SHA1

      2968c2818bbab5a02f3fca235f3dc715798ec1b6

      SHA256

      a942fe6e57cc0f7c9af42ef641b519f93c00a577f27c480e63c3d742a2a1e9c2

      SHA512

      bfd50255ab392213c2a138ec537c22ac71955d8014f867437c2293a85cae8c02d1bfdacafc4159841e93f4d1410c1447e5934e02181bc354e3e065a257be13d0

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\tmtzxc[1].doc

      Filesize

      590KB

      MD5

      08d1a4e26971fd55013dbc7d2744b2a5

      SHA1

      dd813694fc67b536f242ae7dd3deff14458b82ba

      SHA256

      fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

      SHA512

      3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

    • C:\Users\Admin\AppData\Local\Temp\{762A6861-D414-4972-A866-A17566436854}

      Filesize

      128KB

      MD5

      094e9ee43afea0a1faed246fa5ec33bc

      SHA1

      45bcccccfd9732d609fd62c1a7d38debb8cad225

      SHA256

      6f608eadc52111b7ecabaf32b64add80986c04b1fb4acd7117101b1b63582316

      SHA512

      abfbc1a799f91dbf8ce87caccd8b9a162668956efa10b8c5921a5ab50d60a6bb053976dd0507c0980ba2bcd09da286d1cecf08ab4205439f1799198c1662de41

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      391B

      MD5

      3f03d0e5ddf454202ee9124e80a0bcea

      SHA1

      9c5263d03cb5d7a1ab093e9864f39035018563bf

      SHA256

      ffa5e96e0efd4c8af54f4b0fe427685b70c4a954562ba6cdd40f0b0583ede462

      SHA512

      cb3e99d7fee3447d286e402c093476f0ea2388aecf06f9aa90d208454031f35899615859438aadfc7abfdc04787664ee5adbec467922e74a1e87c3f9c03b12b4

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Local\Temp\nsyB82B.tmp\System.dll

      Filesize

      11KB

      MD5

      9625d5b1754bc4ff29281d415d27a0fd

      SHA1

      80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

      SHA256

      c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

      SHA512

      dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    • \Users\Admin\AppData\Roaming\tmtcy20306.exe

      Filesize

      669KB

      MD5

      f7e702effaaad33faa0cbc4f87da2d07

      SHA1

      b8be783f38b987f8c88f7de258d69a648033be72

      SHA256

      a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678

      SHA512

      43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

    • memory/1732-0-0x000000002F511000-0x000000002F512000-memory.dmp

      Filesize

      4KB

    • memory/1732-2-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

    • memory/1732-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1732-113-0x0000000070F4D000-0x0000000070F58000-memory.dmp

      Filesize

      44KB

    • memory/2944-134-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2944-135-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2944-136-0x0000000000480000-0x00000000004C8000-memory.dmp

      Filesize

      288KB