Oski

Lab Link

Category: Threat Intel

Tactics: Initial Access Execution Defense Evasion Credential Access Command and Control Exfiltration

Tools: VirusTotal ANY.RUN

Scenario

The accountant at the company received an email titled "Urgent New Order" from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?

Questions

Q1: Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?

Let's search with the provided malware MD5 hash in VirusTotal

in the details tab, you can find the creation time of the malware.

Q2: Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?

in the community tab, you can find the C2 server.

Q3: Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?

to identify this, open ANY.RUN full analysis of this malware, on the right side you can see the processes, So let's see the first process(VPN.exe) details

This is the library requested right after the connection to the C2 server.

Q4: Upon examining the malware, it appears to utilize the RC4 key for decrypting a base64 string. What specific RC4 key does this malware use?

from the malware configuration tab, you can find the RC4 key used by the malware

Q5: Identifying an adversary's techniques can aid in understanding their methods and devising countermeasures. Which MITRE ATT&CK technique are they employing to steal a user's password?

In the process details you can find each detail of this process categorized to ( danger- warning- others), the first 2 categories are mapped to MITRE ATTACK

Q6: Malware may delete files left behind by the actions of its intrusion activity. Which directory does the malware target for deletion?

looking at the details of the cmd.exe process, the CmdLine:

Q7: Understanding the malware's behavior post-data exfiltration can give insights into its evasion techniques. After successfully exfiltrating the user's data, how many seconds does it take for the malware to self-delete?

from the same CmdLine in the previous question:

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\AppData\Local\Temp\VPN.exe" & del "C:\ProgramData\*.dll"" & exit

it is shown that the malware waits 5 seconds before it delete itself.

PreviousWebStrike NextYellow RAT

Last updated 8 months ago

hashtagLab Linkarrow-up-right

hashtagScenario

hashtagQuestions

hashtagQ1: Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?

hashtagQ2: Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?

hashtagQ3: Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?

hashtagQ4: Upon examining the malware, it appears to utilize the RC4 key for decrypting a base64 string. What specific RC4 key does this malware use?

hashtagQ5: Identifying an adversary's techniques can aid in understanding their methods and devising countermeasures. Which MITRE ATT&CK technique are they employing to steal a user's password?

hashtagQ6: Malware may delete files left behind by the actions of its intrusion activity. Which directory does the malware target for deletion?

hashtagQ7: Understanding the malware's behavior post-data exfiltration can give insights into its evasion techniques. After successfully exfiltrating the user's data, how many seconds does it take for the malware to self-delete?