Analysis

  • max time kernel
    132s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 12:45

General

  • Target

    RICHIESTA_OFFERTA_RDO2400423.docx

  • Size

    264KB

  • MD5

    5efaab9d9accf59510dafa162e958340

  • SHA1

    4d2d9082c9e29d7f218feea392e3bb59a0b5719a

  • SHA256

    b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf

  • SHA512

    b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99

  • SSDEEP

    6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2084
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2432
      • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
        "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:1960
        • C:\Users\Admin\AppData\Roaming\tmtcy20306.exe
          "C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"
          3⤵
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{07078B2D-E8BE-4FA2-B2D3-55C5D1E2E060}.FSD

      Filesize

      128KB

      MD5

      d092ebfa8426820fb3e3c8e67cb6d545

      SHA1

      58e62650481a2e3a6c5b31c2480e9f1cbbdef133

      SHA256

      31b8185e91e90345cbec364bb458a4880c3ae513d767d681f034e3e980c2027b

      SHA512

      a5937d567e799e2f405b98ea760f8379e0301418b3e0e58d8d29162c6add23f7089325bc018b2f77c626331ced367e496d3f903fe5a2e03c903d10f44852e901

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      0a3b5d78829fe3da64cb94f6c4a8613d

      SHA1

      462fcedeceb308b8fb99ba2ab00031cf256f8942

      SHA256

      7b88abc149f95151cba12395110e77ec162ee650efcd7add633bb67b92ab1675

      SHA512

      b459bb526d3b9c78be35b68f7dc6dda6abe9d7254aea932aa512f5edff1c785675fee54b49af30a569d4cb1afc99b6d5da994ffdca963c3d9caeb60a32a82e29

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\tmtzxc[1].doc

      Filesize

      590KB

      MD5

      08d1a4e26971fd55013dbc7d2744b2a5

      SHA1

      dd813694fc67b536f242ae7dd3deff14458b82ba

      SHA256

      fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc

      SHA512

      3c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6

    • C:\Users\Admin\AppData\Local\Temp\{9DF86D27-8A7D-4027-98EB-50F64C078FA4}

      Filesize

      128KB

      MD5

      cc47876dc035fe3ca48192948d806ca1

      SHA1

      2a67a271b0f7b4cbadaef8afb85c234465e418b3

      SHA256

      01b6eb6b3a4c786e7881283337e990a9195ee11204808edd7f43a1476bf221db

      SHA512

      a7a3ed210010100c1820f8602cc13d2f734d6cd062aad8b751c36182b765554429586bcf7730c8918364b59afc784e761d96e9eb02b3820b3fee5ca6c843591c

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

      Filesize

      264B

      MD5

      7b4cd0c80af21ca197305de4d8258f44

      SHA1

      cd8f4d39a939711c5f40ab6507b0c8a161d9a0d8

      SHA256

      36563513f6361fd28ef63676a26e57bfe8b5fc4fd5ac311e61a613f4d9b8ca18

      SHA512

      2bb7fc23d397ed28489621bc6fc93b0f06c2d4093097958c28fad821d8175a924695f6c6983be66b3268409322245a13398fc0d7c732f6576e0da0184fc8cd31

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Local\Temp\nst7CA2.tmp\System.dll

      Filesize

      11KB

      MD5

      9625d5b1754bc4ff29281d415d27a0fd

      SHA1

      80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

      SHA256

      c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

      SHA512

      dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    • \Users\Admin\AppData\Roaming\tmtcy20306.exe

      Filesize

      669KB

      MD5

      f7e702effaaad33faa0cbc4f87da2d07

      SHA1

      b8be783f38b987f8c88f7de258d69a648033be72

      SHA256

      a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678

      SHA512

      43e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9

    • memory/2856-0-0x000000002FEA1000-0x000000002FEA2000-memory.dmp

      Filesize

      4KB

    • memory/2856-2-0x000000007183D000-0x0000000071848000-memory.dmp

      Filesize

      44KB

    • memory/2856-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2856-113-0x000000007183D000-0x0000000071848000-memory.dmp

      Filesize

      44KB

    • memory/2944-136-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2944-137-0x0000000000480000-0x00000000014E2000-memory.dmp

      Filesize

      16.4MB

    • memory/2944-138-0x0000000000480000-0x00000000004C8000-memory.dmp

      Filesize

      288KB