Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
FB678489548767854_Swift_advice.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
FB678489548767854_Swift_advice.rtf
Resource
win10v2004-20241007-en
General
-
Target
FB678489548767854_Swift_advice.rtf
-
Size
807KB
-
MD5
2cc6ed74a007255f16281a7ba9bf28bd
-
SHA1
e2a632c2597636063ad9ce8b7b7d414813172f13
-
SHA256
e3bc935dfe1c33d41a0956a758e96218389f00246cc0d6521ce9e953491f34a0
-
SHA512
be53699aaf860d982c227f2508aa52ebeec6f9c88b4bb49a2ee72c68fea17c096281c53fef9bc5762d6d91cf22d271bdbece05cb3eb878fc3d7846b87c058cb0
-
SSDEEP
6144:cwAYwAYwAYwAYwAYwAYwAYwAqE0RHYuD5tBzpYhduQ6LhTCQTlfZkQ58:GE7
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
cp1.virtualine.org - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 4 1404 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
Processes:
charlwealth73826.execharlwealth73826.exepid process 2844 charlwealth73826.exe 2008 charlwealth73826.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1404 EQNEDT32.EXE 1404 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
charlwealth73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 charlwealth73826.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 charlwealth73826.exe Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 charlwealth73826.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
charlwealth73826.exedescription pid process target process PID 2844 set thread context of 2008 2844 charlwealth73826.exe charlwealth73826.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
WINWORD.EXEEQNEDT32.EXEcharlwealth73826.execharlwealth73826.exepowershell.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language charlwealth73826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language charlwealth73826.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1924 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
charlwealth73826.exepowershell.exepid process 2008 charlwealth73826.exe 2240 powershell.exe 2008 charlwealth73826.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
charlwealth73826.exepowershell.exedescription pid process Token: SeDebugPrivilege 2008 charlwealth73826.exe Token: SeDebugPrivilege 2240 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1924 WINWORD.EXE 1924 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEcharlwealth73826.exedescription pid process target process PID 1404 wrote to memory of 2844 1404 EQNEDT32.EXE charlwealth73826.exe PID 1404 wrote to memory of 2844 1404 EQNEDT32.EXE charlwealth73826.exe PID 1404 wrote to memory of 2844 1404 EQNEDT32.EXE charlwealth73826.exe PID 1404 wrote to memory of 2844 1404 EQNEDT32.EXE charlwealth73826.exe PID 1924 wrote to memory of 2624 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 2624 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 2624 1924 WINWORD.EXE splwow64.exe PID 1924 wrote to memory of 2624 1924 WINWORD.EXE splwow64.exe PID 2844 wrote to memory of 2240 2844 charlwealth73826.exe powershell.exe PID 2844 wrote to memory of 2240 2844 charlwealth73826.exe powershell.exe PID 2844 wrote to memory of 2240 2844 charlwealth73826.exe powershell.exe PID 2844 wrote to memory of 2240 2844 charlwealth73826.exe powershell.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe PID 2844 wrote to memory of 2008 2844 charlwealth73826.exe charlwealth73826.exe -
outlook_office_path 1 IoCs
Processes:
charlwealth73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 charlwealth73826.exe -
outlook_win_path 1 IoCs
Processes:
charlwealth73826.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 charlwealth73826.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\FB678489548767854_Swift_advice.rtf"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2624
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240
-
-
C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"C:\Users\Admin\AppData\Roaming\charlwealth73826.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2008
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
934KB
MD5f1f5c3ac10d4a2b5ee41287be266697a
SHA1cadfebb21927a50708216ce994d748c7c71fb7cb
SHA256288c3ef10338b99d38a344433451dbb2aadcdc323e656670dae29d9cff5e1313
SHA512b21d15994853bc485ad1198308ecab15310e44e2cd9b7a6528196816718bd27cc7be5baeb6c3b6ff15b860a8aa20a854cd6e39b266bcdade1c04484c2c1322a3