Analysis
-
max time kernel
133s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 07:57
Static task
static1
Behavioral task
behavioral1
Sample
bnmagodmnb.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bnmagodmnb.rtf
Resource
win10v2004-20240802-en
General
-
Target
bnmagodmnb.rtf
-
Size
674KB
-
MD5
6f937970f5ba3d9da4b66f1bc7c5e820
-
SHA1
403a9e727a52c64060b9e02a0aa79c8fd46506d8
-
SHA256
52ba6d07874484044d15877d81ae2606501881571627174c044f87908d7bdb01
-
SHA512
458b5283b73d64e739548bbe9eb358a8cdd95a1c5491660855ca7a937d24959cd81827503852b2225a6a12f3e37c7ec57f65ed89f431f161737a148ccc3b86dc
-
SSDEEP
3072:OwAlawAlawAlwGruaz9ezP6KVcKLB4xJ/9NczzH4InNFM+bsbraTH8:OwAYwAYwATVezP6Kl+xJ/T4nwHbraTH8
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
cp1.virtualine.org - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 3 1028 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
aagobijsfyk.exeaagobijsfyk.exepid process 2632 aagobijsfyk.exe 3052 aagobijsfyk.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1028 EQNEDT32.EXE 1028 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
aagobijsfyk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aagobijsfyk.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aagobijsfyk.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aagobijsfyk.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
aagobijsfyk.exedescription pid process target process PID 2632 set thread context of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEaagobijsfyk.exeaagobijsfyk.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aagobijsfyk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language aagobijsfyk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1756 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
aagobijsfyk.exepowershell.exepid process 3052 aagobijsfyk.exe 2800 powershell.exe 3052 aagobijsfyk.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
aagobijsfyk.exepowershell.exedescription pid process Token: SeDebugPrivilege 3052 aagobijsfyk.exe Token: SeDebugPrivilege 2800 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1756 WINWORD.EXE 1756 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEaagobijsfyk.exedescription pid process target process PID 1028 wrote to memory of 2632 1028 EQNEDT32.EXE aagobijsfyk.exe PID 1028 wrote to memory of 2632 1028 EQNEDT32.EXE aagobijsfyk.exe PID 1028 wrote to memory of 2632 1028 EQNEDT32.EXE aagobijsfyk.exe PID 1028 wrote to memory of 2632 1028 EQNEDT32.EXE aagobijsfyk.exe PID 1756 wrote to memory of 2776 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 2776 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 2776 1756 WINWORD.EXE splwow64.exe PID 1756 wrote to memory of 2776 1756 WINWORD.EXE splwow64.exe PID 2632 wrote to memory of 2800 2632 aagobijsfyk.exe powershell.exe PID 2632 wrote to memory of 2800 2632 aagobijsfyk.exe powershell.exe PID 2632 wrote to memory of 2800 2632 aagobijsfyk.exe powershell.exe PID 2632 wrote to memory of 2800 2632 aagobijsfyk.exe powershell.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe PID 2632 wrote to memory of 3052 2632 aagobijsfyk.exe aagobijsfyk.exe -
outlook_office_path 1 IoCs
Processes:
aagobijsfyk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aagobijsfyk.exe -
outlook_win_path 1 IoCs
Processes:
aagobijsfyk.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 aagobijsfyk.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\bnmagodmnb.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2776
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\AppData\Roaming\aagobijsfyk.exe"C:\Users\Admin\AppData\Roaming\aagobijsfyk.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aagobijsfyk.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2800 -
C:\Users\Admin\AppData\Roaming\aagobijsfyk.exe"C:\Users\Admin\AppData\Roaming\aagobijsfyk.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:3052
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
768KB
MD538f27f2d0381640e7dd4f7ed2a3dee68
SHA1592dc0a7b4328de8b8998f6bf620838d64dee5ab
SHA25644970f5c9f2a85e4e15c59a4a0694cf991b723ffc438c8cbcdbfe9ebccfcf9ef
SHA512c8301f8348922669e956ad548c58ae97c781d7fdee1c3885b34f41df0b5665c76e589c33871ee13402e05bacd938ea67578a5b4b9598d7a2d9608af1f93faa6c