vipkeylogger | e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d

Analysis

max time kernel
129s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy.docx
Size

459KB
MD5

461b9e11fc472678391ea0896131e3fd
SHA1

1d5d856bd620c7ed772701f848ae53124d2bfbdd
SHA256

e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d
SHA512

6bb127c496c6e01c1b86fc4a88cd26ca4f173be414494d58dbca921de660f9f6b3368d86c7fb224e22865908377060df574573c91944d1c526040437e13cec00
SSDEEP

6144:A6lcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdA99tmYL/:ZARtUVhpr/rqIXQ9mrm9Bt2mhW8G0Y4

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow	pid	Process
8	2136	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2236	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 3 IoCs

Processes:

obigfhdsd.exeobigfhdsd.exeobigfhdsd.exe

pid	Process
1980	obigfhdsd.exe
2904	obigfhdsd.exe
1012	obigfhdsd.exe

Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid	Process
2136	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

obigfhdsd.exe

description	pid	Process	procid_target
PID 1980 set thread context of 1012	1980	obigfhdsd.exe	38

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEEQNEDT32.EXEobigfhdsd.exeobigfhdsd.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfhdsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfhdsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXE

pid	Process
2136	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
3068	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

obigfhdsd.exeobigfhdsd.exepowershell.exe

pid	Process
1980	obigfhdsd.exe
1980	obigfhdsd.exe
1012	obigfhdsd.exe
2236	powershell.exe
1012	obigfhdsd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

obigfhdsd.exeobigfhdsd.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1980	obigfhdsd.exe
Token: SeDebugPrivilege	1012	obigfhdsd.exe
Token: SeDebugPrivilege	2236	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
3068	WINWORD.EXE
3068	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEobigfhdsd.exe

description	pid	Process	procid_target
PID 2136 wrote to memory of 1980	2136	EQNEDT32.EXE	32
PID 2136 wrote to memory of 1980	2136	EQNEDT32.EXE	32
PID 2136 wrote to memory of 1980	2136	EQNEDT32.EXE	32
PID 2136 wrote to memory of 1980	2136	EQNEDT32.EXE	32
PID 3068 wrote to memory of 772	3068	WINWORD.EXE	34
PID 3068 wrote to memory of 772	3068	WINWORD.EXE	34
PID 3068 wrote to memory of 772	3068	WINWORD.EXE	34
PID 3068 wrote to memory of 772	3068	WINWORD.EXE	34
PID 1980 wrote to memory of 2236	1980	obigfhdsd.exe	35
PID 1980 wrote to memory of 2236	1980	obigfhdsd.exe	35
PID 1980 wrote to memory of 2236	1980	obigfhdsd.exe	35
PID 1980 wrote to memory of 2236	1980	obigfhdsd.exe	35
PID 1980 wrote to memory of 2904	1980	obigfhdsd.exe	37
PID 1980 wrote to memory of 2904	1980	obigfhdsd.exe	37
PID 1980 wrote to memory of 2904	1980	obigfhdsd.exe	37
PID 1980 wrote to memory of 2904	1980	obigfhdsd.exe	37
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38
PID 1980 wrote to memory of 1012	1980	obigfhdsd.exe	38

outlook_office_path 1 IoCs

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

outlook_win_path 1 IoCs

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Copy.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:772

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\obigfhdsd.exe
  "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2236
- - C:\Users\Admin\AppData\Roaming\obigfhdsd.exe
    "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Users\Admin\AppData\Roaming\obigfhdsd.exe
    "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CD44BF8D-83F3-4D04-9EA5-CEF3408D6318}.FSD

Filesize
128KB

MD5
dbd5fc5e0a02e2fa8a2f05eef9584ab9

SHA1
f35e05670ab1a66e931ef0ce79fa00937fb43b47

SHA256
85f671941be7c650302d94ff4a9b92183152fd7a9b858ef43e78f2bee2d028eb

SHA512
b388bcc0e85d388bdbe5b5c5a7165434ce7248fc3b4ec4bde3cfbb960b444f514c5f335e2845d6393337450a7d4fff14fdbfc8fd44bf41fdc499aac953153465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{CD44BF8D-83F3-4D04-9EA5-CEF3408D6318}.FSD

Filesize
128KB

MD5
a22647715f36d1d57f4a648605160004

SHA1
64b845ce07fc30f2d7207573cde711507ff51e0e

SHA256
72821c449751e53369ea4dcee345eaa7deb86c56719a2413e15d29f21885cd4d

SHA512
9cf52f7c591afce789e83520728a0e54c1732a90cb2db95e04bfbe867ed356e1638f1138588ed0a91f1472170efc22b2df52bc2ca690d3d3aa53e0adc5cc8e58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
2a8e3c27c80cdce26a38e7a6640363ae

SHA1
66e78776eb78aacfd71caaa49efa562d75376655

SHA256
0810f061d262593f8c90c209f6c25f9d2c9ffefcfc91d7c3d7a07587230b779e

SHA512
2fcf67e96f0561be4f6086e626c2795bbdce0286caba448295f005887c4d68b68bdc413b51743741c3da5365516e90311efc94e6ca15acbd584bca614d528e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\blhbZrtqbLg6O1K[1].doc

Filesize
857KB

MD5
9b33bc2074cc4df27de67aa3a4751207

SHA1
7f6d18d3a714e92dbb75b58216dcb01bf0e7f3dc

SHA256
303f6cb6bffb7bab41a611f99a776a07fcfda896cb344d3eb4f34461922c60b4

SHA512
e30ca2358a7e5dc4adad2b04fa33289eab853fa5a6cff1305019fd4576305caeedb2bb687065641ceeca6f00e23f638ca2806cfd58844bcc56e9136e3d39309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{149C73F0-17D6-41D9-AB79-B67FE0F97BDD}

Filesize
128KB

MD5
4845a113dc71a4efcd7ec37899d39ce9

SHA1
c6bdae21dff813ba4b109bcc6344d490e02403fe

SHA256
de4ff569e9adf2193a77fbc3e74040b0de9a77c10cfc390009a5eb4a630247e7

SHA512
7b4d7c35c17e4e53fb382d1fea7d8199f4cd447348836a6a45417d91012659c037963e99fdcb9973374f44c91183f2c126dbeb7773d1982df59cd02fe28e3e45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\obigfhdsd.exe

Filesize
699KB

MD5
32317fa8ed09561ea6de5ee91c3a971d

SHA1
a1dc40e480493d39a2335963e6d0f1e6bf9fea82

SHA256
117f1bc3d9a04cc8bbc9b0f681745c480f6744ddebd5879e32a05e7c7b3c492f

SHA512
49d43a2adaa04895025cba7810bcb6b980930e20307e5d8684c89b58e23e59639ded7e6a3396c54aa0475dd9f046de617f2cb16d7cf37263a1b643f7adf274c6

Download Submit
memory/1012-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-124-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-121-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1012-113-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-122-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1012-125-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1980-95-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/1980-111-0x0000000005180000-0x000000000520E000-memory.dmp

Filesize
568KB

Download
memory/1980-94-0x0000000000E30000-0x0000000000EE6000-memory.dmp

Filesize
728KB

Download
memory/3068-101-0x000000007094D000-0x0000000070958000-memory.dmp

Filesize
44KB

Download
memory/3068-0-0x000000002F2D1000-0x000000002F2D2000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3068-2-0x000000007094D000-0x0000000070958000-memory.dmp

Filesize
44KB

Download