Analysis

  • max time kernel
    50s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 21:34

General

  • Target

    1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx

  • Size

    319KB

  • MD5

    134cc6f60ff9cd1cf4d7dfe4d50b095e

  • SHA1

    c0bcf0297ee258bb6f9a8b5de08de4a2c48f357a

  • SHA256

    1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0

  • SHA512

    078ee9e29d522b75477a14e9b1d01f15e449ab66708f3e440643d4b30494f6d626a68f606e735cde9c1344b0f59ea597d2d2fa1dcb2aca4305f56ecf4d0d0eee

  • SSDEEP

    6144:N07JHBA0B56szCXqqqqqmzYhuO+FLh5C2z9mL1:Wd/qYYFNHrz96

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\1ba4de3cf7421c893126c14e0a3212fe32f6f6a4dec449aefbcc31181a91ade0.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2104
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2932
      • C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
        "C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3012
        • C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe
          "C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2124

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{27D1AF12-6AD0-41ED-AB56-4C22D121852F}.FSD

      Filesize

      128KB

      MD5

      7ef73de08d75472aa988265c03d24f93

      SHA1

      0c196fc6d09a9b199b62bc429bb5a8ce4f757827

      SHA256

      00e88614c564f784f6aae23a13ab90bc885761d90de9a65c5d2bd00752c06852

      SHA512

      b3a14868be7add1c4124b2754bfc7e53f4c711b0a97494963cf725fd077337bfeeb4dc0e58472bffd1373113e1d6ed0fcb98635ed0a5cf30d4803dfffb1e608d

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      9ec0e715e27e24bf660e23efee455a80

      SHA1

      97b3ea920cf7677fb641581086f082024b9302ec

      SHA256

      a281317f668827fcaac0c02f7c6edeadb2ba2fd8d7f38964e5bc01b893852293

      SHA512

      2f19de772b46ff22b563b793ff2807d2112e12201268ef69e52f24c7a1e34e6c3b2c6934e89d4d399cb2e883fdcc53dad05a94b2a4846bc8385c5f20389572e5

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{7E33D178-75DD-4EE2-A135-EBE5AF2FF3BE}.FSD

      Filesize

      128KB

      MD5

      bf7e49a90dd58a2699513485f60e6f6f

      SHA1

      541878439629682abd60ec33f87e7f21f49803c4

      SHA256

      f72307759d4d2ba041348407d096977bbf98459f5e7ff6924e154497f0caf9b0

      SHA512

      bbad74da2052818078c0046c59dc05b9925c48966a49f0e2e9a16021683aef9c0425d2f5ed10f35879b1fa4ad59ffb7c32bae34038254377b25387a67143e264

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\ixsT7yV1KrQcQ4E[1].doc

      Filesize

      1.4MB

      MD5

      740b51e1a54c208e5c9c83fc3317fc0e

      SHA1

      e69ad6fc49440e561a14d119937d49e19b23a778

      SHA256

      a3e7d516e9bc973851dd727a31c525d8e946df586e528db14cbeee40cfc075d4

      SHA512

      b8811fec258e9fe20d8dd176364eb787358660a7f04f241635877d7f5354510fa78d13ac69144a3a9f62f631ed4aaf8f1245c6a576677fc884271f88205a77e8

    • C:\Users\Admin\AppData\Local\Temp\{C60B06B9-DE51-43A2-AB0B-EEBC9C0A3BA5}

      Filesize

      128KB

      MD5

      4ebff2972194b0f7198b78d5ae2597e5

      SHA1

      d85e66d64e61ef94c2d74c7b66dd5209bdb26974

      SHA256

      af260349702d69342539cd03e7b2b62eaef425617b153219b74166f943d281cf

      SHA512

      1b6ad5bb806c29dd7cbcfdb1d86ec53381d34e88f66574fc23140223bd22981156019f001b9d8fa0c938da28e3ed974c86ed528299fde611a77fbdc40597b776

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • C:\Users\Admin\AppData\Roaming\okdsxckelly73826.exe

      Filesize

      934KB

      MD5

      ad8d15f3e02c29fa78cddad65dd3d3aa

      SHA1

      edfaeb194c0bf6e09dcc0cc873b96ffb97fd53e9

      SHA256

      6f26196bd7540338c9287b7a920abe2531a59f1007701604e585759afa3f551a

      SHA512

      e8d523ee65071fcfc32d51e380fa6a7929683383a0579f551e8facb0f2e5f4a8bd7e1643be94d75016a8f690613c55cb716131ce43173e0a9ed594d90ff692e5

    • memory/2124-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2124-119-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-117-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-110-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-112-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-114-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-120-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2124-108-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2880-0-0x000000002F651000-0x000000002F652000-memory.dmp

      Filesize

      4KB

    • memory/2880-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2880-2-0x00000000719AD000-0x00000000719B8000-memory.dmp

      Filesize

      44KB

    • memory/2880-98-0x00000000719AD000-0x00000000719B8000-memory.dmp

      Filesize

      44KB

    • memory/2988-107-0x0000000004CF0000-0x0000000004D7C000-memory.dmp

      Filesize

      560KB

    • memory/2988-100-0x0000000000520000-0x000000000053C000-memory.dmp

      Filesize

      112KB

    • memory/2988-97-0x0000000000FE0000-0x00000000010CE000-memory.dmp

      Filesize

      952KB