vipkeylogger | e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d

Analysis

max time kernel
130s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-11-2024 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Copy.docx
Size

459KB
MD5

461b9e11fc472678391ea0896131e3fd
SHA1

1d5d856bd620c7ed772701f848ae53124d2bfbdd
SHA256

e2eec3fead32a394e15dc805efb549f453b3020cde2e37f6d36020b0297d0d4d
SHA512

6bb127c496c6e01c1b86fc4a88cd26ca4f173be414494d58dbca921de660f9f6b3368d86c7fb224e22865908377060df574573c91944d1c526040437e13cec00
SSDEEP

6144:A6lcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdA99tmYL/:ZARtUVhpr/rqIXQ9mrm9Bt2mhW8G0Y4

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow	pid	Process
8	2872	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2368	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

Processes:

obigfhdsd.exeobigfhdsd.exe

pid	Process
2524	obigfhdsd.exe
2960	obigfhdsd.exe

Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid	Process
2872	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
9	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

obigfhdsd.exe

description	pid	Process	procid_target
PID 2524 set thread context of 2960	2524	obigfhdsd.exe	38

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEEQNEDT32.EXEobigfhdsd.exeobigfhdsd.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfhdsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfhdsd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXE

pid	Process
2872	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2352	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

obigfhdsd.exepowershell.exe

pid	Process
2960	obigfhdsd.exe
2368	powershell.exe
2960	obigfhdsd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

obigfhdsd.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2960	obigfhdsd.exe
Token: SeDebugPrivilege	2368	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2352	WINWORD.EXE
2352	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEobigfhdsd.exe

description	pid	Process	procid_target
PID 2872 wrote to memory of 2524	2872	EQNEDT32.EXE	33
PID 2872 wrote to memory of 2524	2872	EQNEDT32.EXE	33
PID 2872 wrote to memory of 2524	2872	EQNEDT32.EXE	33
PID 2872 wrote to memory of 2524	2872	EQNEDT32.EXE	33
PID 2352 wrote to memory of 2004	2352	WINWORD.EXE	35
PID 2352 wrote to memory of 2004	2352	WINWORD.EXE	35
PID 2352 wrote to memory of 2004	2352	WINWORD.EXE	35
PID 2352 wrote to memory of 2004	2352	WINWORD.EXE	35
PID 2524 wrote to memory of 2368	2524	obigfhdsd.exe	36
PID 2524 wrote to memory of 2368	2524	obigfhdsd.exe	36
PID 2524 wrote to memory of 2368	2524	obigfhdsd.exe	36
PID 2524 wrote to memory of 2368	2524	obigfhdsd.exe	36
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38
PID 2524 wrote to memory of 2960	2524	obigfhdsd.exe	38

outlook_office_path 1 IoCs

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

outlook_win_path 1 IoCs

Processes:

obigfhdsd.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfhdsd.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Payment Copy.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2004

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Users\Admin\AppData\Roaming\obigfhdsd.exe
  "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2368
- - C:\Users\Admin\AppData\Roaming\obigfhdsd.exe
    "C:\Users\Admin\AppData\Roaming\obigfhdsd.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{F2B4E261-F6D0-453D-9D4D-8E6D45A115EB}.FSD

Filesize
128KB

MD5
0235405b358b49e4bf7b88ed4fdbc5cc

SHA1
6febacb3507a8289056497018e4419aba350e133

SHA256
d796f7e9824e482ab45ee9658419785b672bb2b3a3f45685df3f8f128c0899ff

SHA512
8d5930248456fb91947808ae92e6b19ddb94cb9dec55ffb7ab84805e5539819dc310acd7bf59d82a95af81bc0929ee15acb696902de8fe877134767e9dd352ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
324e520dba51819717a1503569af84b4

SHA1
fefd40b10f362e9306c5e7325c823107ae672e78

SHA256
e40d1090cbc1400c99b256239440686c1fc2321fcf44bddeeb42fd206e243928

SHA512
711149a2e59f5bc18bf1a44a610c56ae33d3c3e7303936b9377084c600c10f3ae4ff69235f4cc2fd30f52d5d10d1ce2272c4818e4c36909a1a10e7e2b539b3bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{EE1ACFD9-AFA7-4B0C-A45E-C83B40746D01}.FSD

Filesize
128KB

MD5
77a194492babfc4d9181a6a2e4e0c41b

SHA1
dd47ba5f284e130eae378681ac3222707cba77db

SHA256
c6b149cec2abf55c3ba70ca69bb1e4d99525c03a23bf09659e5840967354e17c

SHA512
02e6900db540d4ad037655fc74cc6faa5cb47b57a8f1a92f44a88f2dbe9baf39652220bffe81cde6566f6a07bbcf917f71af647b9827a7830960fd0238b59f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\blhbZrtqbLg6O1K[1].doc

Filesize
857KB

MD5
9b33bc2074cc4df27de67aa3a4751207

SHA1
7f6d18d3a714e92dbb75b58216dcb01bf0e7f3dc

SHA256
303f6cb6bffb7bab41a611f99a776a07fcfda896cb344d3eb4f34461922c60b4

SHA512
e30ca2358a7e5dc4adad2b04fa33289eab853fa5a6cff1305019fd4576305caeedb2bb687065641ceeca6f00e23f638ca2806cfd58844bcc56e9136e3d39309f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8A11EDAE-D7B0-47A0-AA25-9645D6EC56A2}

Filesize
128KB

MD5
3e227976ecb45244ae9b37b55a937bd4

SHA1
a634200900a208708d830960201f53450dc49ca1

SHA256
83383da287c649cc9056af1b5ceb70059438a57124492dcc8e62cb406b20b1cf

SHA512
230e111f91c50f139eb1733419cde9fab5f12b63923246596fe54aad790f7dba00bd7bcc86a78c1b61d0cba2bc836ca4311c85d8f5a02e9082b4ba1c55fcafa8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\obigfhdsd.exe

Filesize
699KB

MD5
32317fa8ed09561ea6de5ee91c3a971d

SHA1
a1dc40e480493d39a2335963e6d0f1e6bf9fea82

SHA256
117f1bc3d9a04cc8bbc9b0f681745c480f6744ddebd5879e32a05e7c7b3c492f

SHA512
49d43a2adaa04895025cba7810bcb6b980930e20307e5d8684c89b58e23e59639ded7e6a3396c54aa0475dd9f046de617f2cb16d7cf37263a1b643f7adf274c6

Download Submit
memory/2352-97-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/2352-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2352-2-0x0000000070FFD000-0x0000000071008000-memory.dmp

Filesize
44KB

Download
memory/2352-0-0x000000002FFC1000-0x000000002FFC2000-memory.dmp

Filesize
4KB

Download
memory/2524-95-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2524-94-0x0000000000D50000-0x0000000000E06000-memory.dmp

Filesize
728KB

Download
memory/2524-104-0x0000000005DC0000-0x0000000005E4E000-memory.dmp

Filesize
568KB

Download
memory/2960-105-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-116-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-113-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2960-111-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-109-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2960-107-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download