Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Purchase order Coloplast AS RFQ 10059170.docx
Resource
win10v2004-20241007-en
General
-
Target
Purchase order Coloplast AS RFQ 10059170.docx
-
Size
458KB
-
MD5
b95c7303672b29595e704b80697dec29
-
SHA1
62e5567be424853e5f5e72c8d82c077fb5185812
-
SHA256
6e53e98fc01dd05fd91f377afadd8b75a6396958986ea211d879a4e3c713f323
-
SHA512
e9da95e3a678b1f49bac3a3e06065bdd0a9734daab356ad57ac8102a03697fc7a2edcb26c2f32bc948dfc76befe3c291e57b640c7f7fd999730c8f11b29d2838
-
SSDEEP
6144:p1bUb0cVLNEzYvRSPlaMXKaAi69qltTGSmNZ509tmYL6qoPQ7tmYB/l2mDlJjAIz:1kF5SPMM6I9X4X69mrm9Bt2mhW8G0Y6
Malware Config
Extracted
vipkeylogger
Protocol: smtp- Host:
tonicables.top - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@ - Email To:
[email protected]
Signatures
-
VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
-
Blocklisted process makes network request 1 IoCs
Processes:
EQNEDT32.EXEflow pid process 7 2736 EQNEDT32.EXE -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Abuses OpenXML format to download file from external location
-
Executes dropped EXE 2 IoCs
Processes:
axdcfydonstan89660.exeaxdcfydonstan89660.exepid process 1492 axdcfydonstan89660.exe 2244 axdcfydonstan89660.exe -
Loads dropped DLL 1 IoCs
Processes:
EQNEDT32.EXEpid process 2736 EQNEDT32.EXE -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
axdcfydonstan89660.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 axdcfydonstan89660.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 axdcfydonstan89660.exe Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 axdcfydonstan89660.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 checkip.dyndns.org -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
axdcfydonstan89660.exedescription pid process target process PID 1492 set thread context of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe -
Drops file in Windows directory 1 IoCs
Processes:
WINWORD.EXEdescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log WINWORD.EXE -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
EQNEDT32.EXEaxdcfydonstan89660.exeaxdcfydonstan89660.exepowershell.exeWINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EQNEDT32.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axdcfydonstan89660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language axdcfydonstan89660.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE -
Office loads VBA resources, possible macro or embedded object present
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
WINWORD.EXEpid process 2128 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
axdcfydonstan89660.exeaxdcfydonstan89660.exepowershell.exepid process 1492 axdcfydonstan89660.exe 1492 axdcfydonstan89660.exe 2244 axdcfydonstan89660.exe 2704 powershell.exe 2244 axdcfydonstan89660.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
axdcfydonstan89660.exeaxdcfydonstan89660.exepowershell.exedescription pid process Token: SeDebugPrivilege 1492 axdcfydonstan89660.exe Token: SeDebugPrivilege 2244 axdcfydonstan89660.exe Token: SeDebugPrivilege 2704 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
WINWORD.EXEpid process 2128 WINWORD.EXE 2128 WINWORD.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
EQNEDT32.EXEWINWORD.EXEaxdcfydonstan89660.exedescription pid process target process PID 2736 wrote to memory of 1492 2736 EQNEDT32.EXE axdcfydonstan89660.exe PID 2736 wrote to memory of 1492 2736 EQNEDT32.EXE axdcfydonstan89660.exe PID 2736 wrote to memory of 1492 2736 EQNEDT32.EXE axdcfydonstan89660.exe PID 2736 wrote to memory of 1492 2736 EQNEDT32.EXE axdcfydonstan89660.exe PID 2128 wrote to memory of 1276 2128 WINWORD.EXE splwow64.exe PID 2128 wrote to memory of 1276 2128 WINWORD.EXE splwow64.exe PID 2128 wrote to memory of 1276 2128 WINWORD.EXE splwow64.exe PID 2128 wrote to memory of 1276 2128 WINWORD.EXE splwow64.exe PID 1492 wrote to memory of 2704 1492 axdcfydonstan89660.exe powershell.exe PID 1492 wrote to memory of 2704 1492 axdcfydonstan89660.exe powershell.exe PID 1492 wrote to memory of 2704 1492 axdcfydonstan89660.exe powershell.exe PID 1492 wrote to memory of 2704 1492 axdcfydonstan89660.exe powershell.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe PID 1492 wrote to memory of 2244 1492 axdcfydonstan89660.exe axdcfydonstan89660.exe -
outlook_office_path 1 IoCs
Processes:
axdcfydonstan89660.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 axdcfydonstan89660.exe -
outlook_win_path 1 IoCs
Processes:
axdcfydonstan89660.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 axdcfydonstan89660.exe
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Purchase order Coloplast AS RFQ 10059170.docx"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122882⤵PID:1276
-
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"C:\Users\Admin\AppData\Roaming\axdcfydonstan89660.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2244
-
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Exploitation for Client Execution
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{9F453FF1-95CF-4AC1-B432-A4C0D643512C}.FSD
Filesize128KB
MD5d32dab83738f60a2537081c1419f8b0c
SHA1ec99280f64e892b3cccff9f397d915fba408ec34
SHA256234be0a2a7fd98e5709dcf41bdfe6ffa527ba54ce7136fa531dae1352bff4b59
SHA512abca84f081f9a3166a4259f43b3b9e1f1fa32b7f0dc1471e9b4190823c7e48e603ad796aac49dcb99fb8824f72084dd51d482da1ad4f65434b188e1d121c5bc5
-
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
Filesize128KB
MD5d42e113fb400b7a045f1ed527f2a1a99
SHA1d53fcfc249bac2d315764437bdcc2b247c067b3c
SHA25685f8a2209d21dcc151411c85131bc34bba1ec12ac38817cde8f343722b1504f8
SHA512b1a680fbe65e83d52f25adb8bbd61e0c6b2b7b808caa4bf3fcceda2c0dd1f35034fb837bd455e5127cfc728551bd3a00195ef4f61e1c6a8edf2cbcddea685717
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\633SXO0D\1SccExdhYCwi9NS[1].doc
Filesize878KB
MD5cb3af2d8ca17af3ac5f9522f114236a3
SHA1b113356582cf12ea715873bcdbeddc2e0e4fe96b
SHA2560afff6f8e9f46c3b8306e86b4fc5f6951d6cb6fc7a3d0021ac4bbb0479af3efd
SHA512ee3bc7e1f5b85aaf7286bf90189de6d44ad6ac1a8aeee72600b83a54ecd53977d9166ce0ec90c13b61608d5d790e2fe88d05d093003076bf9413c74fb9f1f45b
-
Filesize
128KB
MD5b4b63c3d8aee40e40a2590f969eb9104
SHA1e5c53f599aa20ff84b1c8d1c9e693d8568847722
SHA256ba3e5df7facf028a175b0684c26190fcc602e5c70b3bf58652595ae3c005c3e7
SHA512499d11f83f1ea3c0c14ddcd8349eff67c72355052e69198f2054189de73f619d7590910aa4de680d896bbf6ac3d7df3160decfa5226b863683bc49bf2c0d56ef
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
789KB
MD5a4f12b1e186febfa71ae912ee06b924b
SHA18d51c1f9a3b814bc30366678d6d3eb75ec8e9303
SHA256259403bd5fd2ed0dc8744a5444dd16c3595feaa977bd507d1966e26b664ba282
SHA51243785a06f8a09d7ea796f9c1caedff969d4343ab5be7c0d596f9f0f81b55f43f7fc16ea72321a4d36cce191c395c355187fb585eed6a2d17d3239170fbb24504