Overview

overview

10

Static

static

1

31012025_0...r.docx

windows7-x64

10

31012025_0...r.docx

windows10-2004-x64

1

Analysis

  • max time kernel
    245s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31-01-2025 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    31012025_0808_29012025_Payment Error.docx

  • Size

    179KB

  • MD5

    3d1c1d2836460cf9b648fafe778afc7c

  • SHA1

    a6db7abf6061052b8fad3112a8d5570cd658f773

  • SHA256

    b1e95a02dacd02c5821a7cff619f919623f222b85f27f5c60470f06f7b5eac85

  • SHA512

    d1fbfa64020f97b6d1151559efdd9a47bcb32a58220763d0c25eef8b186110c48ddceb573ebdf678254163fcc8567c4ede18ac6c7d90d4e6ed04cbf06b42b25c

  • SSDEEP

    3072:QiY5rj1ATug+mhTZMxjcFQ9csn4qAzYjDp/shKuikycBSRjR/Vx7XUgpxD:K5r/g+qZMpcFSQzYHut4dFrD

Score
10/10
vipkeyloggercollectiondiscoveryexecutionkeyloggerspywarestealer

Malware Config

Extracted

Family

vipkeylogger

Credentials

Signatures

  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Vipkeylogger family
    vipkeylogger
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Abuses OpenXML format to download file from external location
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\31012025_0808_29012025_Payment Error.docx"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:484
    • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
      "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
      1⤵
      • Blocklisted process makes network request
      • Downloads MZ/PE file
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Launches Equation Editor
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Roaming\chromeobis.exe
        "C:\Users\Admin\AppData\Roaming\chromeobis.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2340
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\chromeobis.exe"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2312
        • C:\Users\Admin\AppData\Roaming\chromeobis.exe
          "C:\Users\Admin\AppData\Roaming\chromeobis.exe"
          3⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:2200

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      1KB

      MD5

      c9be626e9715952e9b70f92f912b9787

      SHA1

      aa2e946d9ad9027172d0d321917942b7562d6abe

      SHA256

      c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

      SHA512

      7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      436B

      MD5

      971c514f84bba0785f80aa1c23edfd79

      SHA1

      732acea710a87530c6b08ecdf32a110d254a54c8

      SHA256

      f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

      SHA512

      43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
      Filesize

      174B

      MD5

      d2d700f65c527764a320c1236be5301a

      SHA1

      1469cf3f3cef10dc2dd2169c364154a68332aaa4

      SHA256

      1503400232c854f55343f319236bef6493efdd0c9b882861e364d2684a920990

      SHA512

      8f78d405141b846b1086ef55902360628b0ec09c8f6389c16b55f085c54f5d95076e180d6167accd177024f87fb82ee162cef2542f0df29392e80a768c44d7bf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
      Filesize

      170B

      MD5

      615275e4d7a051e08de5fc10a9d04e84

      SHA1

      c161328ac7b3705c84527aa3dae13f31b48a8f2c

      SHA256

      51e7623c3eb8115ca0471067674514fb76be0fca1b138efeb399775c244f5844

      SHA512

      1663f3702e44901b40242ffcd767f8e22c09e5845ba4a686f2f1d4addef7bb877e1a91b37899ebd09f60dd8896ebdee36a6325cfe4e7244c65b806751e43dd9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      b30296a1206c21539d9191d8a3ee8eac

      SHA1

      0510a5c081da8ee58da341077491f21b384cca2f

      SHA256

      6c457674bebc1fa6b4a635c40766931f3356569c03577d3de37482f50e3c724f

      SHA512

      345723ad76c5d6129ec6995652780b7bdbc2fee3d963eb06b0b29848497d4be07476928a781694574b775397e5999ea824cb94c83ff84d8e256f06b239beb7da

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{5862D662-0348-467E-AC71-29826306C9FA}.FSD
      Filesize

      128KB

      MD5

      4999ecc7ba46b36b0a0cb247ddba638d

      SHA1

      884ec7353ddfcd68a99b0b64a7d0eacc25650292

      SHA256

      26800840a1171b226b60444fcdf131b6dff4defe875236ce15c7bb3489721012

      SHA512

      94fbeae93c41741bc4fbbad7c6e5eed4fb527e739ca91286a94c6e6e3a3439dd1763c377a02ee981801180631b87e28ae9b10ab75812aa31b01a02ac2d37d216

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSD-CNRY.FSD
      Filesize

      128KB

      MD5

      10e5be962d350a891d334eec8bc23216

      SHA1

      0fbfa8313da9f75ffa9fe1d670e727300a2bbf0f

      SHA256

      223bd869de91bcf4c7f8d5145fc0c2afab455e0bce766ec33bdfa02e55d5c6a7

      SHA512

      6e079092cfe0bf5634bafeadf103dde2135af80f2ef1068cbacee8f9527163ba594372fd8852d47b487031c0caef316bcd17b357d7f027ca60223c78ca1257bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\zxcobizxc[1].dot
      Filesize

      469KB

      MD5

      0dbe0f99c69a2dbd0ec15c5199d73762

      SHA1

      4da131dcff2a5fd63eddf9b1742bd49b1fe08802

      SHA256

      f66ddd8a7bd34537428e518c38601da74769f6adf9ec7f671dd0195e2499d37a

      SHA512

      b04d315b61f13791af612ca58f6cd93b6fde0989bf9697d6cfa5491e841327acaf795fff45f60a9f860e8c4ebf8066ffe2242c4f0f5da20b6f96c193c82dd0c3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9E13.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\{8698084D-0BFB-40A5-8C13-0DFA4A0C0078}
      Filesize

      128KB

      MD5

      18f0d48ab5732cc9890b6fb31402602c

      SHA1

      9ccfb97c3a877f69c6368b2767bf860b2f15df37

      SHA256

      7fd893b07359151f29c67319d24b9a29d829ff1662919d73498a00572b3ca0fe

      SHA512

      8a7fc954333e6a6a42fc2098bb109bd6090053595c294ca76dedfe1370e6ddfe5f25d966ad982bd8e5cc5ce6533822088c742f3997ab69810894c58c03dca7e1

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
      Filesize

      386B

      MD5

      815e6993831763b814e81318186bb45e

      SHA1

      22e2ee61fcc18d5b0e20dbe39fe30b8c57a87a4e

      SHA256

      a79cc60d958508d15faeb2f6b824c6a7144384a76c5d5dbe33aa46078e42a5fc

      SHA512

      0793b52daa706aea66dbedf3d8f746716de0db72815abcdaaef5bb8e561aeb3020f6cc8b4e2db23657d07ebcb2e610aafe0ba89afcb394809af9c816b82f6dd5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
      Filesize

      2B

      MD5

      f3b25701fe362ec84616a93a45ce9998

      SHA1

      d62636d8caec13f04e28442a0a6fa1afeb024bbb

      SHA256

      b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

      SHA512

      98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

      Download Submit

    • \Users\Admin\AppData\Roaming\chromeobis.exe
      Filesize

      831KB

      MD5

      369757029e8723ec3a3ba3958dfc24aa

      SHA1

      a437d0724b5a19d32e14fd66d22e57d0bfb827bf

      SHA256

      1d54834821491b661251a122639f9b741f97a9eca55289ed4f3b226d0c770882

      SHA512

      5e51840b5cc43806ab35be1a03e029cb15fd818b922eac5ea3d578bf3c08211a3d175d9372c25a70e4436f90a6a9847d85dcffe1aaa6da811f53eb58699fd6f6

      Download Submit

    • memory/1292-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1292-0-0x000000002F651000-0x000000002F652000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1292-2-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1292-128-0x000000007181D000-0x0000000071828000-memory.dmp

      Filesize

      44KB

      Download

    • memory/2200-143-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-130-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-141-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-136-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-135-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-139-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2200-138-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2200-132-0x0000000000400000-0x0000000000448000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2340-121-0x0000000000970000-0x000000000098E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2340-120-0x0000000005590000-0x000000000565A000-memory.dmp

      Filesize

      808KB

      Download

    • memory/2340-129-0x0000000000A10000-0x0000000000A9E000-memory.dmp

      Filesize

      568KB

      Download

    • memory/2340-118-0x0000000001190000-0x0000000001264000-memory.dmp

      Filesize

      848KB

      Download