vipkeylogger | aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424

Analysis

max time kernel
130s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOA.docx
Size

459KB
MD5

d2d23ccc53607370c926fe786f92c75b
SHA1

8a84a9083d5b1e26fb9d0374efec7b259a3d059b
SHA256

aca3d8614954a35938653f8a26effa4f96952d8227222ca57dda6ab7cd607424
SHA512

2a38f263819d6350fdcc7e12345d68dbb6745eedef50ac261b488f73e534e0cc568c0d7dd909ca1bc438e436a9148aaf0f38f86792d8a92c174faef37e4396ca
SSDEEP

6144:hdlcbR5HastSFXbqUAbqUAbqUvyLE8IIIIIW0ru0rqme6eeCe9vCeXhdYp9tmYL2:zARtUVhpr/rqIXM9mrm9Bt2mhW8G0Yf

Score

10^/10

vipkeylogger collection discovery execution keylogger spyware stealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Protocol: smtp
Host:
mail.covid19support.top
Port:
587
Username:
[email protected]
Password:
7213575aceACE@@
Email To:
[email protected]

Signatures

VIPKeylogger
VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.
stealer keylogger vipkeylogger
Vipkeylogger family
vipkeylogger

Blocklisted process makes network request 1 IoCs

Processes:

EQNEDT32.EXE

flow	pid	Process
7	2584	EQNEDT32.EXE

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1724	powershell.exe

Downloads MZ/PE file
Abuses OpenXML format to download file from external location

Executes dropped EXE 3 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exewealthcharliebgk.exe

pid	Process
2008	wealthcharliebgk.exe
2184	wealthcharliebgk.exe
2268	wealthcharliebgk.exe

Loads dropped DLL 1 IoCs

Processes:

EQNEDT32.EXE

pid	Process
2584	EQNEDT32.EXE

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wealthcharliebgk.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
8	checkip.dyndns.org

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

wealthcharliebgk.exe

description	pid	Process	procid_target
PID 2008 set thread context of 2268	2008	wealthcharliebgk.exe	38

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WINWORD.EXEEQNEDT32.EXEwealthcharliebgk.exewealthcharliebgk.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQNEDT32.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wealthcharliebgk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Office loads VBA resources, possible macro or embedded object present

Launches Equation Editor 1 TTPs 1 IoCs

Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

exploit

Exploitation for Client Execution

T1203

Processes:

EQNEDT32.EXE

pid	Process
2584	EQNEDT32.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2516	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exepowershell.exe

pid	Process
2008	wealthcharliebgk.exe
2008	wealthcharliebgk.exe
2268	wealthcharliebgk.exe
1724	powershell.exe
2268	wealthcharliebgk.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

wealthcharliebgk.exewealthcharliebgk.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2008	wealthcharliebgk.exe
Token: SeDebugPrivilege	2268	wealthcharliebgk.exe
Token: SeDebugPrivilege	1724	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2516	WINWORD.EXE
2516	WINWORD.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

EQNEDT32.EXEWINWORD.EXEwealthcharliebgk.exe

description	pid	Process	procid_target
PID 2584 wrote to memory of 2008	2584	EQNEDT32.EXE	33
PID 2584 wrote to memory of 2008	2584	EQNEDT32.EXE	33
PID 2584 wrote to memory of 2008	2584	EQNEDT32.EXE	33
PID 2584 wrote to memory of 2008	2584	EQNEDT32.EXE	33
PID 2516 wrote to memory of 1340	2516	WINWORD.EXE	35
PID 2516 wrote to memory of 1340	2516	WINWORD.EXE	35
PID 2516 wrote to memory of 1340	2516	WINWORD.EXE	35
PID 2516 wrote to memory of 1340	2516	WINWORD.EXE	35
PID 2008 wrote to memory of 1724	2008	wealthcharliebgk.exe	36
PID 2008 wrote to memory of 1724	2008	wealthcharliebgk.exe	36
PID 2008 wrote to memory of 1724	2008	wealthcharliebgk.exe	36
PID 2008 wrote to memory of 1724	2008	wealthcharliebgk.exe	36
PID 2008 wrote to memory of 2184	2008	wealthcharliebgk.exe	37
PID 2008 wrote to memory of 2184	2008	wealthcharliebgk.exe	37
PID 2008 wrote to memory of 2184	2008	wealthcharliebgk.exe	37
PID 2008 wrote to memory of 2184	2008	wealthcharliebgk.exe	37
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38
PID 2008 wrote to memory of 2268	2008	wealthcharliebgk.exe	38

outlook_office_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

outlook_win_path 1 IoCs

Processes:

wealthcharliebgk.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wealthcharliebgk.exe

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\SOA.docx"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1340

C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
1⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
  "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1724
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    PID:2184
- - C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe
    "C:\Users\Admin\AppData\Roaming\wealthcharliebgk.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Exploitation for Client Execution

T1203

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{2AA0704C-20E7-45C1-8506-5104CC81FB60}.FSD

Filesize
128KB

MD5
8114c8fdb9cc8575e32530b20d15354b

SHA1
77b0c9cfde51847abb88e476859a5f42c78537d3

SHA256
383362731b1160daeeb169aca62bf85d27c0b5586e12441e3caec2af79b445e7

SHA512
3c13933be958f25ee5d9bef349b3c767d5f713905776e07237c710edde9f2ba03b7b553bbeab1670e1d9559e3e30f566ec34b8187fa7818114eca2fab39079e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD

Filesize
128KB

MD5
c50a94be20e3e0aeb4d0931050439d13

SHA1
39aea92887f436c7cf634491c7d6713eb3bda49a

SHA256
76974f7e379d150f2f5520d39cb527caa6f947679c745a9a169993d3b7208fdb

SHA512
baec33f42d405e2e3d354e1d1fad35f743bf72c926889e304d7839c857415cf948fae8c1103d854e9735e98631b6aabfd63caad9e8b9458a4519ec42011a6be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-{92DF82AF-9A28-4BF8-AB2A-28FF581A7266}.FSD

Filesize
128KB

MD5
d6bc9ba56f25aca285168aa0f3d963aa

SHA1
33fffaae5657fef87469bca3154e6e17c620eb46

SHA256
1d05eab0bfef2f416c067dc8e0a8849868ab515346e211f44fe4b5ba106e82aa

SHA512
6a94d25a15182c70ca25efb973468c9817da3a46bfec3af899f44d6563e25dfcedd3f2a3937df024f46bc5c4d1972345cc75964193fc2e1806410cb5ece2d4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8170FA6F.wiz

Filesize
408KB

MD5
f6e89e6c3ab17d8d58699ccefeaf3c8d

SHA1
86c245d0a2ef138aa7afca6bb43316e251b07c68

SHA256
32f5bf26d32b42212ada3e88017ad037c6c84f760a64585252576d893a00ff5f

SHA512
ab3a82dcd600c7169da373101593480a1ef8e82b2d339b5367f0e2b118f23ec3eb591a3e269de3f5d8b0e0843ec4574b33c5f98e0344c4be38a26c25caccb4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{02E24AE5-DF47-4BB6-9741-59A775E49ACD}

Filesize
128KB

MD5
09b644d513f686af81f013633546e03b

SHA1
dc275d68a232487c24f62d8e6de23fd44e1780b5

SHA256
fb448d7b28933c14608973488e24216a296d6fc76618a708b5bfbf17dd7f6904

SHA512
797a75a3f9a45d881d0872f555498f86e8681d224d8704ab73011547d8454501eeb5fef17c98fb78a1521d5ec8753f044da769473804d4c3cd7a09e5349a1508

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
450B

MD5
7ccc6a3b8e748af2b1eac1e42c80a20a

SHA1
6efd9edfe0838ce37358157174c138ecf7928b33

SHA256
c25a30394caade75bd72cd72a88fa505739b437ba87b106723ac1e46a893541b

SHA512
7275b6ea968e55494c5b313cb739dc3239b4ee9ddc52ec2dabbe03ff94faa9be2712f8eb14f3054c5b62ed8b910200a3657493966c2eaaa6a466ded82ff837f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Roaming\wealthcharliebgk.exe

Filesize
817KB

MD5
9d980cad65d26d5e36bd306044b26ac9

SHA1
80e09457252563a7ec99095364fd1a9fb3d3f27d

SHA256
a460050185c6df524792697a1b751a2fb309939e5a34d135459d4a6dbbd66ee0

SHA512
887fa68f650484950edff6c562f24491b286f10806a0aaeb9163076866d878e6b0d54f2b1b2fbc8efff98f65451eeeaaa4914c7f86b57fbbd7775bdd571f2728

Download Submit
memory/2008-94-0x0000000001070000-0x0000000001142000-memory.dmp

Filesize
840KB

Download
memory/2008-103-0x0000000000590000-0x00000000005A2000-memory.dmp

Filesize
72KB

Download
memory/2008-104-0x0000000005240000-0x00000000052CE000-memory.dmp

Filesize
568KB

Download
memory/2268-114-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2268-115-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-118-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-117-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-112-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-110-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-108-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2268-106-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2516-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2516-96-0x000000007124D000-0x0000000071258000-memory.dmp

Filesize
44KB

Download
memory/2516-0-0x000000002F261000-0x000000002F262000-memory.dmp

Filesize
4KB

Download
memory/2516-2-0x000000007124D000-0x0000000071258000-memory.dmp

Filesize
44KB

Download