Analysis
-
max time kernel
58s -
max time network
41s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 22:08
Static task
static1
Behavioral task
behavioral1
Sample
2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx
Resource
win10v2004-20241007-en
General
-
Target
2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx
-
Size
458KB
-
MD5
918f63aeccaa7aeef06d25c031acd858
-
SHA1
7234c8c1a704ee3cb3f9f30f560a02fd0f5ec87c
-
SHA256
2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3
-
SHA512
aa1bbd9609e92b1e5319c28586ef2a3ce105335f457069ea6c3c05ccde8b1d6b008cdac6f6236fde74a64f3e07695a5eb2ce5041101fbdf95c55c1f885fa7f87
-
SSDEEP
6144:zzbUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ5m9tmYL6qoPQ7tmYB/l2mDlJjAIJ:NkF5SPMM6I9X4Xs9mrm9Bt2mhW8G0Y8
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.tonicables.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 3060 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exepid process 2424 obiddjtrh.exe 1648 obiddjtrh.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 3060 EQNEDT32.EXE 3060 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obiddjtrh.exedescription pid process target process PID 2424 set thread context of 1648 2424 obiddjtrh.exe obiddjtrh.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
powershell.exeWINWORD.EXEEQNEDT32.EXEobiddjtrh.exeobiddjtrh.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obiddjtrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obiddjtrh.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2772 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exepowershell.exepid process 2424 obiddjtrh.exe 2424 obiddjtrh.exe 1648 obiddjtrh.exe 2148 powershell.exe 1648 obiddjtrh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exepowershell.exedescription pid process Token: SeDebugPrivilege 2424 obiddjtrh.exe Token: SeDebugPrivilege 1648 obiddjtrh.exe Token: SeDebugPrivilege 2148 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2772 WINWORD.EXE 2772 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEobiddjtrh.exeWINWORD.EXEdescription pid process target process PID 3060 wrote to memory of 2424 3060 EQNEDT32.EXE obiddjtrh.exe PID 3060 wrote to memory of 2424 3060 EQNEDT32.EXE obiddjtrh.exe PID 3060 wrote to memory of 2424 3060 EQNEDT32.EXE obiddjtrh.exe PID 3060 wrote to memory of 2424 3060 EQNEDT32.EXE obiddjtrh.exe PID 2424 wrote to memory of 2148 2424 obiddjtrh.exe powershell.exe PID 2424 wrote to memory of 2148 2424 obiddjtrh.exe powershell.exe PID 2424 wrote to memory of 2148 2424 obiddjtrh.exe powershell.exe PID 2424 wrote to memory of 2148 2424 obiddjtrh.exe powershell.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2424 wrote to memory of 1648 2424 obiddjtrh.exe obiddjtrh.exe PID 2772 wrote to memory of 2124 2772 WINWORD.EXE splwow64.exe PID 2772 wrote to memory of 2124 2772 WINWORD.EXE splwow64.exe PID 2772 wrote to memory of 2124 2772 WINWORD.EXE splwow64.exe PID 2772 wrote to memory of 2124 2772 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe -
outlook_win_path 1 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2124
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1648
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1FE467FB-A141-4D39-A5DB-49CF09953C91}.FSD
Filesize128KB
MD55791285cd18d9e442f201b98ecb461e0
SHA1fffe7b3475b9411384272ab38da20adf2e31b222
SHA256897010b9b6574b79b3f2e556f10a46b2afe9d155c30f798a346efd34c315dbb7
SHA512dc778dbdc2ae53b79d79fc131e735a4e9530680efbe764abc8179913a9e20f9a080f8891c4d2f5482753894111112a5cee8968fcfbb03437f7d5c843d060723b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1FE467FB-A141-4D39-A5DB-49CF09953C91}.FSD
Filesize128KB
MD551920b4880837021bc3121636f3ec2ac
SHA1a2ac5c986a51c3022fa6111ae0c118856ea87c4a
SHA256191bd1eba9f4a1a0ba514cba57cf7e12b7ea8ce9b43e8be97a2b8ac899bbfec0
SHA51205aaf38a1b548c5bf2069b8275d38f5ea47c2fce52e273dcb5521537486962813a26393e9677aaef4be2417637a70b309f9fafdcadfabde4ecfb8392bb65d221
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{BF7512C9-92C2-4519-887A-7C2C28ABB8D8}.FSD
Filesize128KB
MD51634efc39f6c78623672c7e38caf96d7
SHA13e11d0bc044659cad5ab8761f60742f360c93725
SHA256b2def1ff464aa3740e1a0d473128788156b34796ee4af851a36533a15cbc016a
SHA5127e341a53ed6d587657a4409fc52ae0ce11175568e6627a7504859a9609a1c2fb8523457403d715295bb2480d8b83ba015335821fef0bfe0cb84a81a765c8d2b5
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\mnobizxv[1].doc
Filesize670KB
MD5c00a17e56e7eeaf2d72456692c36eec7
SHA172fbbce62454aaa611317d1c23a1980712d44613
SHA256ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97
-
Filesize
128KB
MD5471764df93ff7257c47c794c067e75c4
SHA19092ad8f5a2f3a05dd0be245d868b37bdd2da922
SHA256217f10971b581c1726af6f7369abfe2b1a0be1ddc6f920e108834157f90e59df
SHA512e98e4778424b6f4cfe274529908a3abb014b2d87f33e2c87c158dd531b5e907e882e4a24bee5b5b32bdb5fb95720dc4a630d2618f1cbf214c9e5d4ad2e262ec4
-
Filesize
128KB
MD5210ecf6225273b2a042b089ab8d87eae
SHA141f847b5cd033781aeda52a28a3ad3abdb8fc6a8
SHA256eabe0cafadbb7c555b9eeb30a0a6ea5e8589210c25513f1525506deaa3e37a73
SHA51231c57607064f7071a799d8fa990927aa9f9732810612a3013076661da53c0f520e0c08f1c00a366d5e4a0db651998fd2013aabd3d12d7d9028865807a3450211
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
759KB
MD57578316e563e8a4a2983ae041a5fff39
SHA1fa5a6777784f272b191803d03a49dfe40354bcf2
SHA2562b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
SHA512225fa056dff9c59915fbfe593d3d336c133eeab6be80f48de976f8d14cd773bde21716f489b45c007310da6eb61c9bd6681a7ec0a80559b246af07a1346dc9ba