Oski
Category: Threat Intel
Tactics: Initial Access Execution Defense Evasion Credential Access Command and Control Exfiltration
Tools: VirusTotal ANY.RUN
Scenario
The accountant at the company received an email titled "Urgent New Order" from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?
Questions
Q1: Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?
Let's search with the provided malware MD5 hash in VirusTotal
in the details tab, you can find the creation time of the malware.
Q2: Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?
in the community tab, you can find the C2 server.
Q3: Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?
to identify this, open full analysis of this malware, on the right side you can see the processes, So let's see the first process(VPN.exe) details
This is the library requested right after the connection to the C2 server.
Q4: Upon examining the malware, it appears to utilize the RC4 key for decrypting a base64 string. What specific RC4 key does this malware use?
from the malware configuration tab, you can find the RC4 key used by the malware
Q5: Identifying an adversary's techniques can aid in understanding their methods and devising countermeasures. Which MITRE ATT&CK technique are they employing to steal a user's password?
In the process details you can find each detail of this process categorized to ( danger- warning- others), the first 2 categories are mapped to MITRE ATTACK
Q6: Malware may delete files left behind by the actions of its intrusion activity. Which directory does the malware target for deletion?
looking at the details of the cmd.exe process, the CmdLine:
Q7: Understanding the malware's behavior post-data exfiltration can give insights into its evasion techniques. After successfully exfiltrating the user's data, how many seconds does it take for the malware to self-delete?
from the same CmdLine in the previous question:
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\admin\AppData\Local\Temp\VPN.exe" & del "C:\ProgramData\*.dll"" & exitit is shown that the malware waits 5 seconds before it delete itself.
Last updated