Analysis
-
max time kernel
50s -
max time network
42s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 21:34
Static task
static1
Behavioral task
behavioral1
Sample
1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx
Resource
win10v2004-20241007-en
General
-
Target
1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx
-
Size
319KB
-
MD5
134cc6f60ff9cd1cf4d7dfe4d50b095e
-
SHA1
c0bcf0297ee258bb6f9a8b5de08de4a2c48f357a
-
SHA256
1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0
-
SHA512
078ee9e29d522b75477a14e9b1d01f15e449ab66708f3e440643d4b30494f6d626a68f606e735cde9c1344b0f59ea597d2d2fa1dcb2aca4305f56ecf4d0d0eee
-
SSDEEP
6144:N07JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mL1:Wd/qYYFNHrz96
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
jhxkgroup.online - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2932 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
okdsxckelly73826.exeokdsxckelly73826.exepid process 2988 okdsxckelly73826.exe 2124 okdsxckelly73826.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 2932 EQNEDT32.EXE 2932 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
okdsxckelly73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 okdsxckelly73826.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 okdsxckelly73826.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 okdsxckelly73826.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
okdsxckelly73826.exedescription pid process target process PID 2988 set thread context of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEokdsxckelly73826.exeokdsxckelly73826.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okdsxckelly73826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language okdsxckelly73826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2880 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
okdsxckelly73826.exepowershell.exepid process 2124 okdsxckelly73826.exe 3012 powershell.exe 2124 okdsxckelly73826.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
okdsxckelly73826.exepowershell.exedescription pid process Token: SeDebugPrivilege 2124 okdsxckelly73826.exe Token: SeDebugPrivilege 3012 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2880 WINWORD.EXE 2880 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEokdsxckelly73826.exedescription pid process target process PID 2932 wrote to memory of 2988 2932 EQNEDT32.EXE okdsxckelly73826.exe PID 2932 wrote to memory of 2988 2932 EQNEDT32.EXE okdsxckelly73826.exe PID 2932 wrote to memory of 2988 2932 EQNEDT32.EXE okdsxckelly73826.exe PID 2932 wrote to memory of 2988 2932 EQNEDT32.EXE okdsxckelly73826.exe PID 2880 wrote to memory of 2104 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 2104 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 2104 2880 WINWORD.EXE splwow64.exe PID 2880 wrote to memory of 2104 2880 WINWORD.EXE splwow64.exe PID 2988 wrote to memory of 3012 2988 okdsxckelly73826.exe powershell.exe PID 2988 wrote to memory of 3012 2988 okdsxckelly73826.exe powershell.exe PID 2988 wrote to memory of 3012 2988 okdsxckelly73826.exe powershell.exe PID 2988 wrote to memory of 3012 2988 okdsxckelly73826.exe powershell.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe PID 2988 wrote to memory of 2124 2988 okdsxckelly73826.exe okdsxckelly73826.exe -
outlook_office_path 1 IoCs
Processes:
okdsxckelly73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 okdsxckelly73826.exe -
outlook_win_path 1 IoCs
Processes:
okdsxckelly73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 okdsxckelly73826.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2104
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2124
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{27D1AF12-6AD0-41ED-AB56-4C22D121852F}.FSD
Filesize128KB
MD57ef73de08d75472aa988265c03d24f93
SHA10c196fc6d09a9b199b62bc429bb5a8ce4f757827
SHA25600e88614c564f784f6aae23a13ab90bc885761d90de9a65c5d2bd00752c06852
SHA512b3a14868be7add1c4124b2754bfc7e53f4c711b0a97494963cf725fd077337bfeeb4dc0e58472bffd1373113e1d6ed0fcb98635ed0a5cf30d4803dfffb1e608d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD59ec0e715e27e24bf660e23efee455a80
SHA197b3ea920cf7677fb641581086f082024b9302ec
SHA256a281317f668827fcaac0c02f7c6edeadb2ba2fd8d7f38964e5bc01b893852293
SHA5122f19de772b46ff22b563b793ff2807d2112e12201268ef69e52f24c7a1e34e6c3b2c6934e89d4d399cb2e883fdcc53dad05a94b2a4846bc8385c5f20389572e5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7E33D178-75DD-4EE2-A135-EBE5AF2FF3BE}.FSD
Filesize128KB
MD5bf7e49a90dd58a2699513485f60e6f6f
SHA1541878439629682abd60ec33f87e7f21f49803c4
SHA256f72307759d4d2ba041348407d096977bbf98459f5e7ff6924e154497f0caf9b0
SHA512bbad74da2052818078c0046c59dc05b9925c48966a49f0e2e9a16021683aef9c0425d2f5ed10f35879b1fa4ad59ffb7c32bae34038254377b25387a67143e264
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\ixsT7yV1KrQcQ4E[1].doc
Filesize1.4MB
MD5740b51e1a54c208e5c9c83fc3317fc0e
SHA1e69ad6fc49440e561a14d119937d49e19b23a778
SHA256a3e7d516e9bc973851dd727a31c525d8e946df586e528db14cbeee40cfc075d4
SHA512b8811fec258e9fe20d8dd176364eb787358660a7f04f241635877d7f5354510fa78d13ac69144a3a9f62f631ed4aaf8f1245c6a576677fc884271f88205a77e8
-
Filesize
128KB
MD54ebff2972194b0f7198b78d5ae2597e5
SHA1d85e66d64e61ef94c2d74c7b66dd5209bdb26974
SHA256af260349702d69342539cd03e7b2b62eaef425617b153219b74166f943d281cf
SHA5121b6ad5bb806c29dd7cbcfdb1d86ec53381d34e88f66574fc23140223bd22981156019f001b9d8fa0c938da28e3ed974c86ed528299fde611a77fbdc40597b776
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
934KB
MD5ad8d15f3e02c29fa78cddad65dd3d3aa
SHA1edfaeb194c0bf6e09dcc0cc873b96ffb97fd53e9
SHA2566f26196bd7540338c9287b7a920abe2531a59f1007701604e585759afa3f551a
SHA512e8d523ee65071fcfc32d51e380fa6a7929683383a0579f551e8facb0f2e5f4a8bd7e1643be94d75016a8f690613c55cb716131ce43173e0a9ed594d90ff692e5