Analysis

  • max time kernel
    117s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 08:44

General

  • Target

    FB678489548767854_Swift_advice.rtf

  • Size

    807KB

  • MD5

    2cc6ed74a007255f16281a7ba9bf28bd

  • SHA1

    e2a632c2597636063ad9ce8b7b7d414813172f13

  • SHA256

    e3bc935dfe1c33d41a0956a758e96218389f00246cc0d6521ce9e953491f34a0

  • SHA512

    be53699aaf860d982c227f2508aa52ebeec6f9c88b4bb49a2ee72c68fea17c096281c53fef9bc5762d6d91cf22d271bdbece05cb3eb878fc3d7846b87c058cb0

  • SSDEEP

    6144:cwAYwAYwAYwAYwAYwAYwAYwAqE0RHYuD5tBzpYhduQ6LhTCQTlfZkQ58:GE7

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FB678489548767854_Swift_advice.rtf"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1924
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:2624
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Roaming\charlwealth73826.exe
        "C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2844
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2240
        • C:\Users\Admin\AppData\Roaming\charlwealth73826.exe
          "C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\charlwealth73826.exe

      Filesize

      934KB

      MD5

      f1f5c3ac10d4a2b5ee41287be266697a

      SHA1

      cadfebb21927a50708216ce994d748c7c71fb7cb

      SHA256

      288c3ef10338b99d38a344433451dbb2aadcdc323e656670dae29d9cff5e1313

      SHA512

      b21d15994853bc485ad1198308ecab15310e44e2cd9b7a6528196816718bd27cc7be5baeb6c3b6ff15b860a8aa20a854cd6e39b266bcdade1c04484c2c1322a3

    • memory/1924-19-0x000000007332D000-0x0000000073338000-memory.dmp

      Filesize

      44KB

    • memory/1924-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/1924-2-0x000000007332D000-0x0000000073338000-memory.dmp

      Filesize

      44KB

    • memory/1924-0-0x000000002F8D1000-0x000000002F8D2000-memory.dmp

      Filesize

      4KB

    • memory/2008-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2008-27-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-33-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-32-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-30-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-26-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-23-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2008-21-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2844-18-0x0000000000730000-0x000000000074C000-memory.dmp

      Filesize

      112KB

    • memory/2844-20-0x0000000005270000-0x00000000052FC000-memory.dmp

      Filesize

      560KB

    • memory/2844-17-0x0000000000E90000-0x0000000000F7E000-memory.dmp

      Filesize

      952KB