Analysis
-
max time kernel
132s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
RICHIESTA_OFFERTA_RDO2400423.docx
Resource
win10v2004-20240802-en
General
-
Target
RICHIESTA_OFFERTA_RDO2400423.docx
-
Size
264KB
-
MD5
5efaab9d9accf59510dafa162e958340
-
SHA1
4d2d9082c9e29d7f218feea392e3bb59a0b5719a
-
SHA256
b5b6a451d04745638c7ecf24dbcc73655bb5942bf63a8da317bd7a6badb8dddf
-
SHA512
b5e85d750249a1d4415fe29597720b7a7f293e0013d326d43d986cc966a2d12e4273fc66cef0a438be20eecca55be269e51ec13c28ed3e7f6b102d2ade0f9a99
-
SSDEEP
6144:syrTTW+ch8x2ZpfRkdxyl+cOpFVozXHN5dOG:fwy2O1c0buXHNXF
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.cybertechllc.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 8 2432 EQNEDT32.EXE -
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 1 IoCs
Processes:
tmtcy20306.exepid process 1960 tmtcy20306.exe -
Loads dropped DLL 3 IoCs
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exepid process 2432 EQNEDT32.EXE 1960 tmtcy20306.exe 2944 tmtcy20306.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 20 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
tmtcy20306.exepid process 2944 tmtcy20306.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
tmtcy20306.exetmtcy20306.exepid process 1960 tmtcy20306.exe 2944 tmtcy20306.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
tmtcy20306.exedescription pid process target process PID 1960 set thread context of 2944 1960 tmtcy20306.exe tmtcy20306.exe -
Drops file in Windows directory 2 IoCs
Processes:
WINWORD.EXEtmtcy20306.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE File opened for modification C:\Windows\resources\0409\reproductivity.ini tmtcy20306.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEtmtcy20306.exetmtcy20306.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tmtcy20306.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2856 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tmtcy20306.exepid process 2944 tmtcy20306.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
tmtcy20306.exepid process 1960 tmtcy20306.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
tmtcy20306.exedescription pid process Token: SeDebugPrivilege 2944 tmtcy20306.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
WINWORD.EXEpid process 2856 WINWORD.EXE 2856 WINWORD.EXE 2856 WINWORD.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
EQNEDT32.EXEtmtcy20306.exeWINWORD.EXEdescription pid process target process PID 2432 wrote to memory of 1960 2432 EQNEDT32.EXE tmtcy20306.exe PID 2432 wrote to memory of 1960 2432 EQNEDT32.EXE tmtcy20306.exe PID 2432 wrote to memory of 1960 2432 EQNEDT32.EXE tmtcy20306.exe PID 2432 wrote to memory of 1960 2432 EQNEDT32.EXE tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 1960 wrote to memory of 2944 1960 tmtcy20306.exe tmtcy20306.exe PID 2856 wrote to memory of 2084 2856 WINWORD.EXE splwow64.exe PID 2856 wrote to memory of 2084 2856 WINWORD.EXE splwow64.exe PID 2856 wrote to memory of 2084 2856 WINWORD.EXE splwow64.exe PID 2856 wrote to memory of 2084 2856 WINWORD.EXE splwow64.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RICHIESTA_OFFERTA_RDO2400423.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2084
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"C:\Users\Admin\AppData\Roaming\tmtcy20306.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{07078B2D-E8BE-4FA2-B2D3-55C5D1E2E060}.FSD
Filesize128KB
MD5d092ebfa8426820fb3e3c8e67cb6d545
SHA158e62650481a2e3a6c5b31c2480e9f1cbbdef133
SHA25631b8185e91e90345cbec364bb458a4880c3ae513d767d681f034e3e980c2027b
SHA512a5937d567e799e2f405b98ea760f8379e0301418b3e0e58d8d29162c6add23f7089325bc018b2f77c626331ced367e496d3f903fe5a2e03c903d10f44852e901
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD50a3b5d78829fe3da64cb94f6c4a8613d
SHA1462fcedeceb308b8fb99ba2ab00031cf256f8942
SHA2567b88abc149f95151cba12395110e77ec162ee650efcd7add633bb67b92ab1675
SHA512b459bb526d3b9c78be35b68f7dc6dda6abe9d7254aea932aa512f5edff1c785675fee54b49af30a569d4cb1afc99b6d5da994ffdca963c3d9caeb60a32a82e29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\tmtzxc[1].doc
Filesize590KB
MD508d1a4e26971fd55013dbc7d2744b2a5
SHA1dd813694fc67b536f242ae7dd3deff14458b82ba
SHA256fd1ca8e9ebe962f23b55669ea495bdb32073b7359031e80a7067d387c0bfa8dc
SHA5123c34748ed68738a24d6c7f1482b4b2f5a26fb6c2a85a1fc0a5303123928fb56974532af9d43b9bb9027558a03be79cf31b48a0c4cb28c41fd833f25e8bb035b6
-
Filesize
128KB
MD5cc47876dc035fe3ca48192948d806ca1
SHA12a67a271b0f7b4cbadaef8afb85c234465e418b3
SHA25601b6eb6b3a4c786e7881283337e990a9195ee11204808edd7f43a1476bf221db
SHA512a7a3ed210010100c1820f8602cc13d2f734d6cd062aad8b751c36182b765554429586bcf7730c8918364b59afc784e761d96e9eb02b3820b3fee5ca6c843591c
-
Filesize
264B
MD57b4cd0c80af21ca197305de4d8258f44
SHA1cd8f4d39a939711c5f40ab6507b0c8a161d9a0d8
SHA25636563513f6361fd28ef63676a26e57bfe8b5fc4fd5ac311e61a613f4d9b8ca18
SHA5122bb7fc23d397ed28489621bc6fc93b0f06c2d4093097958c28fad821d8175a924695f6c6983be66b3268409322245a13398fc0d7c732f6576e0da0184fc8cd31
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
11KB
MD59625d5b1754bc4ff29281d415d27a0fd
SHA180e85afc5cccd4c0a3775edbb90595a1a59f5ce0
SHA256c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448
SHA512dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b
-
Filesize
669KB
MD5f7e702effaaad33faa0cbc4f87da2d07
SHA1b8be783f38b987f8c88f7de258d69a648033be72
SHA256a44de00550c4b3adc9409fd1fb559cab02a9efab1a1352ff07b896a2cea98678
SHA51243e29d3926317d7234f333e41177cafce5e4bd297d3a854f7959aad341eb68748b57113c41bf9173b5d838c7460ca146c21ba2dbf982535e5ad736118773cec9