Analysis
-
max time kernel
132s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 12:42
Static task
static1
Behavioral task
behavioral1
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win10v2004-20240802-en
General
-
Target
RICHIESTA_OFFERTA_RDO2400423.docx
-
Size
264KB
-
MD5
5efaab9d9accf59510dafa162e958340
-
SHA1
4d2d9082c9e29d7f218feea392e3bb59a0b5719a
-
SHA256
b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
-
SHA512
b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99
-
SSDEEP
6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cybertechllc.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2616 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
Processes:
tmtcy20306.exepid process 2244 tmtcy20306.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exepid process 2616 EQNEDT32.EXE 2244 tmtcy20306.exe 2944 tmtcy20306.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
tmtcy20306.exepid process 2944 tmtcy20306.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
tmtcy20306.exetmtcy20306.exepid process 2244 tmtcy20306.exe 2944 tmtcy20306.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmtcy20306.exedescription pid process target process PID 2244 set thread context of 2944 2244 tmtcy20306.exe tmtcy20306.exe -
Drops file in Windows directory 2 IoCs
Processes:
WINWORD.EXEtmtcy20306.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\resources\0409\reproductivity.ini tmtcy20306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmtcy20306.exepid process 2944 tmtcy20306.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tmtcy20306.exepid process 2244 tmtcy20306.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmtcy20306.exedescription pid process Token: SeDebugPrivilege 2944 tmtcy20306.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 1732 WINWORD.EXE 1732 WINWORD.EXE 1732 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEtmtcy20306.exedescription pid process target process PID 2616 wrote to memory of 2244 2616 EQNEDT32.EXE tmtcy20306.exe PID 2616 wrote to memory of 2244 2616 EQNEDT32.EXE tmtcy20306.exe PID 2616 wrote to memory of 2244 2616 EQNEDT32.EXE tmtcy20306.exe PID 2616 wrote to memory of 2244 2616 EQNEDT32.EXE tmtcy20306.exe PID 1732 wrote to memory of 2220 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 2220 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 2220 1732 WINWORD.EXE splwow64.exe PID 1732 wrote to memory of 2220 1732 WINWORD.EXE splwow64.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe PID 2244 wrote to memory of 2944 2244 tmtcy20306.exe tmtcy20306.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2220
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
128KB
MD5b8130507bb1d21ea0812e4482f283282
SHA1ace6af046713cc56dfe43f626895f4d521570223
SHA25671e559d7323878c874dc0b5fd1aaeaa519be15e016f8ba9b2aece54aa954b741
SHA5123b58e8178c3becb664ad895f9a4fcf1bd4889a168c2c430022a2c7cff2d688d92afbbe6f66774f03f55e2b7068e73448e8cf44b50460cc8f303fa6bc1847908f
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{82BC30BC-A30C-424B-8293-BD79A8A205FF}.FSD
Filesize128KB
MD5dfef4fbafd60d05996c6adc20ce824c1
SHA13807895dbbe0f6ca4549cda8dd7ae88ec0f2d54d
SHA2566466e00323df8b2e756d6591915f642e01c0c8ddf38d20e4e4faabc6cca58090
SHA512baf5b81097837b069f4386b5fb53f03dad9963a8bd782005818d0c3ffa8622c2889e41a45a93a6d7464c8604769e81a60a62b93f6e4e4a6f84455b2ceff0f074
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5b91c04645dafc928bbff479b60c519d1
SHA1c6e5098f8e08308201805fa139273279ff167765
SHA256c86a3e7bab7ca39aa4d936b186a281ebe13c68f828b0c46c1e8ad4b4cf94abce
SHA5127a68491ea6c27bd52baef532fd0a0e6ea669b16537457fbe431bd622369bed7c6d471ddd7d69464d8a297ec152f7c29d32e3debc2ec0d662a5961a8fa8bd440e
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7FBA0768-3630-4732-9275-29EA2DB2D6B3}.FSD
Filesize128KB
MD5b884b8622f4aaf7a33dcf039bc14108c
SHA12968c2818bbab5a02f3fca235f3dc715798ec1b6
SHA256a942fe6e57cc0f7c9af42ef641b519f93c00a577f27c480e63c3d742a2a1e9c2
SHA512bfd50255ab392213c2a138ec537c22ac71955d8014f867437c2293a85cae8c02d1bfdacafc4159841e93f4d1410c1447e5934e02181bc354e3e065a257be13d0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\tmtzxc[1].doc
Filesize590KB
MD508d1a4e26971fd55013dbc7d2744b2a5
SHA1dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA5123c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6
-
Filesize
128KB
MD5094e9ee43afea0a1faed246fa5ec33bc
SHA145bcccccfd9732d609fd62c1a7d38debb8cad225
SHA2566f608eadc52111b7ecabaf32b64add80986c04b1fb4acd7117101b1b63582316
SHA512abfbc1a799f91dbf8ce87caccd8b9a162668956efa10b8c5921a5ab50d60a6bb053976dd0507c0980ba2bcd09da286d1cecf08ab4205439f1799198c1662de41
-
Filesize
391B
MD53f03d0e5ddf454202ee9124e80a0bcea
SHA19c5263d03cb5d7a1ab093e9864f39035018563bf
SHA256ffa5e96e0efd4c8af54f4b0fe427685b70c4a954562ba6cdd40f0b0583ede462
SHA512cb3e99d7fee3447d286e402c093476f0ea2388aecf06f9aa90d208454031f35899615859438aadfc7abfdc04787664ee5adbec467922e74a1e87c3f9c03b12b4
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
669KB
MD5f7e702effaaad33faa0cbc4f87da2d07
SHA1b8be783f38b987f8c88f7de258d69a648033be72
SHA256a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA51243e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9