vipkeylogger | 27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8

Analysis

max time kernel
248s
max time network
132s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 05:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15112024_0541_14112024_Bank Swift Copy.docx
Size

459KB
MD5

3f9ae2b975cec92e0402d614cd2391a5
SHA1

43d41944021358bee6b6b48594d9c3f54fbaecd5
SHA256

27a37162f8f0baf5fe161825f8108f1f3e20bada83c2be08fe9919c60e4727b8
SHA512

1a14966056b58e84438309a1dea5ed4d5a6036b76cde5b0baec395d87bcfb2edf596bf9c201c0310847972f89c04c866f2008e938791b233ffb7042365222771
SSDEEP

6144:drlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdwt9tmYL+:RARtUVhpr/rqIXg9mrm9Bt2mhW8G0Y1Z

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.jhxkgroup.online
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	1952	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2492	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 2 IoCs

pid	Process
2116	obigfdsdfgh.exe
2300	obigfdsdfgh.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	EQNEDT32.EXE
1952	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfdsdfgh.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfdsdfgh.exe
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfdsdfgh.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2116 set thread context of 2300	2116	obigfdsdfgh.exe	38

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfdsdfgh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	obigfdsdfgh.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

pid	Process
1952	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2816	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2300	obigfdsdfgh.exe
2492	powershell.exe
2300	obigfdsdfgh.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	obigfdsdfgh.exe
Token: SeDebugPrivilege	2492	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	WINWORD.EXE
2816	WINWORD.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2116	1952	EQNEDT32.EXE	32
PID 1952 wrote to memory of 2116	1952	EQNEDT32.EXE	32
PID 1952 wrote to memory of 2116	1952	EQNEDT32.EXE	32
PID 1952 wrote to memory of 2116	1952	EQNEDT32.EXE	32
PID 2816 wrote to memory of 2648	2816	WINWORD.EXE	34
PID 2816 wrote to memory of 2648	2816	WINWORD.EXE	34
PID 2816 wrote to memory of 2648	2816	WINWORD.EXE	34
PID 2816 wrote to memory of 2648	2816	WINWORD.EXE	34
PID 2116 wrote to memory of 2492	2116	obigfdsdfgh.exe	36
PID 2116 wrote to memory of 2492	2116	obigfdsdfgh.exe	36
PID 2116 wrote to memory of 2492	2116	obigfdsdfgh.exe	36
PID 2116 wrote to memory of 2492	2116	obigfdsdfgh.exe	36
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38
PID 2116 wrote to memory of 2300	2116	obigfdsdfgh.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfdsdfgh.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	obigfdsdfgh.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\15112024_0541_14112024_Bank Swift Copy.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2648

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
  "C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe
    "C:\Users\Admin\AppData\Roaming\obigfdsdfgh.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{99A3832B-D88F-4D63-BF34-2E5F6BE16DFA}.FSD

Filesize
128KB

MD5
e4979585521031bc78a7e820ae9d2ff7

SHA1
38a602ee1c15de97025731d5ff751f72843fb297

SHA256
89c6e02cc866bce26cef70c0ad0349d09e8338f8939dd79f53581a6ad54f4ba2

SHA512
e9d9429b9a4fc1d52ed3948afe77bf533f3ce7c120a8e28a85c6cf3517db424cd52820e45671ac8339f274d10661880a5c4b8d9d9d608e272d382e5eea19b81e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
cf7b59f4cfe306099ec63fa8acf7e862

SHA1
cebdfa2ca9cdfc1604c2bbd152ec165c3dd96b93

SHA256
8d2e58de017a26eb40bc379962c2fbacae1231cff3fded4066211c0c1e55b641

SHA512
7b0b3da9ed9be361a859b698d22bcbe5f55a56c61cfe1a2d0603857c87ce79fc2fdc408833e95567172a8fede93a72d892664b638536eb9db55c638dd7e28647

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{FBD1E75F-80E2-478B-AB08-DDFAC3FD3AA9}.FSD

Filesize
128KB

MD5
94d2412f0fe54cb2868527500428dfd3

SHA1
39c11ba3e16f247512bd884e1c71d4c648c3a4b3

SHA256
235a4df8b47abf71d5d9ccd98bf58cae70aa50bde1ffdc379751d8931d47daf5

SHA512
b96e43eb2554b18425e730b47fdf5f6225c1a7ba5a1100084a7369e0fdbf99bba58c31b718a420e8790e8a443239faa351e22a7e9a74366db696a2066a322f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\xXdquUOrM1vD3An[1].doc

Filesize
799KB

MD5
2087de574fefae441db7ced132da6407

SHA1
6d8b4083d71075be31068808232805ea486f77d8

SHA256
dc8ae41681fdf19abcf62b27b3d8359c32ba6f20bee1e24b7ce9b37d4faebe8b

SHA512
02ead1047af13379ee161c25e1db2c83033daf752629159b9c5836ed0c1d5f6436da73299d920cc10cefe6d4edd3272266d9b4f2088225bc434a53c20ba43ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{015AF40C-CF62-45FA-B21F-816992567E42}

Filesize
128KB

MD5
69c8c8df46610a7b38765f2c63dad3e1

SHA1
a55b65ba8ce0ed420b3477979e1475eabe9d4f12

SHA256
2eb7ba69c1d93b94bf61859d95bbb821ef588bc10ce4aff00988a539f788754f

SHA512
c036af51c778738bb8e46da65ac6001d5ca3c7198482bd59522fa82c8e481de59fb2feb72ac8c824825ef22bb001bc1f022b0c9366629b940cc744c311376983

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\obigfdsdfgh.exe

Filesize
692KB

MD5
66ff1390c2cb8e18a5ed550f8dce6a34

SHA1
17f102c8ec11b0435b158ed898f9d95f2cd31638

SHA256
bc4f57934371fb9a46fe4ca5166ab1a4e16d523c4a43c28e4a7eded85839166b

SHA512
ae1c0e214b31d4613e74b4c59f2d670cf32a039c2eb0cf92a1c2b71a652c436c891a3abc52a1ea80ef4c7cff1cf009ccc2149cb2765ed596b48e8f84cee242fd

Download Submit
memory/2116-107-0x0000000004F20000-0x0000000004FAE000-memory.dmp

Filesize
568KB

Download
memory/2116-106-0x0000000000470000-0x0000000000482000-memory.dmp

Filesize
72KB

Download
memory/2116-97-0x0000000000DB0000-0x0000000000E62000-memory.dmp

Filesize
712KB

Download
memory/2300-120-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-119-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2300-114-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-112-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2300-110-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2816-99-0x000000007317D000-0x0000000073188000-memory.dmp

Filesize
44KB

Download
memory/2816-2-0x000000007317D000-0x0000000073188000-memory.dmp

Filesize
44KB

Download
memory/2816-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2816-0-0x000000002F501000-0x000000002F502000-memory.dmp

Filesize
4KB

Download