Analysis

  • max time kernel
    128s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 12:55

General

  • Target

    Purchase order Coloplast AS RFQ 10059170.docx

  • Size

    458KB

  • MD5

    b95c7303672b29595e704b80697dec29

  • SHA1

    62e5567be424853e5f5e72c8d82c077fb5185812

  • SHA256

    6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323

  • SHA512

    e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838

  • SSDEEP

    6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Downloads MZ/PE file
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2128
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:1276
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
        "C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
        • C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe
          "C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9F453FF1-95CF-4AC1-B432-A4C0D643512C}.FSD

      Filesize

      128KB

      MD5

      d32dab83738f60a2537081c1419f8b0c

      SHA1

      ec99280f64e892b3cccff9f397d915fba408ec34

      SHA256

      234be0a2a7fd98e5709dcf41bdfe6ffa527ba54ce7136fa531dae1352bff4b59

      SHA512

      abca84f081f9a3166a4259f43b3b9e1f1fa32b7f0dc1471e9b4190823c7e48e603ad796aac49dcb99fb8824f72084dd51d482da1ad4f65434b188e1d121c5bc5

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

      Filesize

      128KB

      MD5

      d42e113fb400b7a045f1ed527f2a1a99

      SHA1

      d53fcfc249bac2d315764437bdcc2b247c067b3c

      SHA256

      85f8a2209d21dcc151411c85131bc34bba1ec12ac38817cde8f343722b1504f8

      SHA512

      b1a680fbe65e83d52f25adb8bbd61e0c6b2b7b808caa4bf3fcceda2c0dd1f35034fb837bd455e5127cfc728551bd3a00195ef4f61e1c6a8edf2cbcddea685717

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\1SccExdhYCwi9NS[1].doc

      Filesize

      878KB

      MD5

      cb3af2d8ca17af3ac5f9522f114236a3

      SHA1

      b113356582cf12ea715873bcdbeddc2e0e4fe96b

      SHA256

      0afff6f8e9f46c3b8306e86b4fc5f6951d6cb6fc7a3d0021ac4bbb0479af3efd

      SHA512

      ee3bc7e1f5b85aaf7286bf90189de6d44ad6ac1a8aeee72600b83a54ecd53977d9166ce0ec90c13b61608d5d790e2fe88d05d093003076bf9413c74fb9f1f45b

    • C:\Users\Admin\AppData\Local\Temp\{A0F871E2-ED0D-4456-902F-D76E3C293698}

      Filesize

      128KB

      MD5

      b4b63c3d8aee40e40a2590f969eb9104

      SHA1

      e5c53f599aa20ff84b1c8d1c9e693d8568847722

      SHA256

      ba3e5df7facf028a175b0684c26190fcc602e5c70b3bf58652595ae3c005c3e7

      SHA512

      499d11f83f1ea3c0c14ddcd8349eff67c72355052e69198f2054189de73f619d7590910aa4de680d896bbf6ac3d7df3160decfa5226b863683bc49bf2c0d56ef

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

    • \Users\Admin\AppData\Roaming\axdcfydonstan89660.exe

      Filesize

      789KB

      MD5

      a4f12b1e186febfa71ae912ee06b924b

      SHA1

      8d51c1f9a3b814bc30366678d6d3eb75ec8e9303

      SHA256

      259403bd5fd2ed0dc8744a5444dd16c3595feaa977bd507d1966e26b664ba282

      SHA512

      43785a06f8a09d7ea796f9c1caedff969d4343ab5be7c0d596f9f0f81b55f43f7fc16ea72321a4d36cce191c395c355187fb585eed6a2d17d3239170fbb24504

    • memory/1492-95-0x0000000000460000-0x000000000047E000-memory.dmp

      Filesize

      120KB

    • memory/1492-104-0x0000000000B80000-0x0000000000C0A000-memory.dmp

      Filesize

      552KB

    • memory/1492-94-0x0000000000E60000-0x0000000000F2C000-memory.dmp

      Filesize

      816KB

    • memory/2128-97-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/2128-0-0x000000002F121000-0x000000002F122000-memory.dmp

      Filesize

      4KB

    • memory/2128-2-0x0000000070C5D000-0x0000000070C68000-memory.dmp

      Filesize

      44KB

    • memory/2128-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2244-118-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-116-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-114-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

    • memory/2244-111-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-109-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-107-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

    • memory/2244-105-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB