Automated Malware Analysis Report For
Total Page:16
File Type:pdf, Size:1020Kb
ID: 401458 Sample Name: 25aabd25_by_Libranalysis.docm Cookbook: defaultwindowsofficecookbook.jbs Time: 17:06:17 Date: 30/04/2021 Version: 32.0.0 Black Diamond Table of Contents Table of Contents 2 Analysis Report 25aabd25_by_Libranalysis.docm 5 Overview 5 General Information 5 Detection 5 Signatures 5 Classification 5 Startup 5 Malware Configuration 5 Yara Overview 5 Sigma Overview 5 System Summary: 5 Signature Overview 5 AV Detection: 6 Software Vulnerabilities: 6 System Summary: 6 Data Obfuscation: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 8 Domains and IPs 10 Contacted Domains 10 Contacted URLs 10 URLs from Memory and Binaries 10 Contacted IPs 13 Public 14 Private 14 General Information 14 Simulations 15 Behavior and APIs 16 Joe Sandbox View / Context 16 IPs 16 Domains 16 ASN 16 JA3 Fingerprints 16 Dropped Files 16 Created / dropped Files 17 Static File Info 20 General 20 File Icon 20 Static OLE Info 21 General 21 OLE File "/opt/package/joesandbox/database/analysis/401458/sample/25aabd25_by_Libranalysis.docm" 21 Indicators 21 Summary 21 Document Summary 21 Streams with VBA 21 VBA File Name: ThisDocument.cls, Stream Size: 1307 21 General 21 VBA Code Keywords 22 Copyright Joe Security LLC 2021 Page 2 of 49 VBA Code 22 VBA File Name: arrayCopy.cls, Stream Size: 1490 22 General 22 VBA Code Keywords 22 VBA Code 23 VBA File Name: bufferTmpRequest.bas, Stream Size: 2002 23 General 23 VBA Code Keywords 23 VBA Code 23 VBA File Name: frm.frm, Stream Size: 1661 23 General 23 VBA Code Keywords 23 VBA Code 24 VBA File Name: indexPasteConvert.bas, Stream Size: 8002 24 General 24 VBA Code Keywords 24 VBA Code 26 Streams 26 Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 627 26 General 26 Stream Path: PROJECTwm, File Type: data, Stream Size: 188 26 General 26 Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 4406 26 General 26 Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 2428 26 General 26 Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 206 27 General 27 Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 532 27 General 27 Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156 27 General 27 Stream Path: VBA/dir, File Type: SVR2 executable (Amdahl-UTS) not stripped - version 8520192, Stream Size: 1117 27 General 27 Stream Path: frm/\x1CompObj, File Type: data, Stream Size: 97 28 General 28 Stream Path: frm/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 286 28 General 28 Stream Path: frm/f, File Type: data, Stream Size: 90 28 General 28 Stream Path: frm/o, File Type: data, Stream Size: 44 28 General 28 Network Behavior 29 Network Port Distribution 29 TCP Packets 29 UDP Packets 29 DNS Queries 31 DNS Answers 31 HTTP Request Dependency Graph 31 HTTP Packets 31 Code Manipulations 31 Statistics 31 Behavior 31 System Behavior 32 Analysis Process: WINWORD.EXE PID: 6116 Parent PID: 792 32 General 32 File Activities 32 File Created 32 File Deleted 33 File Written 33 File Read 41 Registry Activities 41 Key Created 41 Key Value Created 42 Key Value Modified 45 Analysis Process: explorer.exe PID: 6048 Parent PID: 6116 47 General 47 File Activities 47 File Created 47 Analysis Process: explorer.exe PID: 5316 Parent PID: 792 47 General 47 Registry Activities 47 Analysis Process: mshta.exe PID: 4804 Parent PID: 5316 48 General 48 File Activities 48 File Deleted 48 Registry Activities 48 Analysis Process: regsvr32.exe PID: 4864 Parent PID: 4804 48 General 48 Copyright Joe Security LLC 2021 Page 3 of 49 File Activities 49 File Read 49 Disassembly 49 Code Analysis 49 Copyright Joe Security LLC 2021 Page 4 of 49 Analysis Report 25aabd25_by_Libranalysis.docm Overview General Information Detection Signatures Classification Sample 25aabd25_by_Libranalysis Name: .docm Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr ssuubbm… Analysis ID: 401458 OMffuffffiilictcie eA ddVoo cScuucmaneennettt rttt rrrdiiieesst e tttocot iccooonnn fvvoiiinrn csceue b vvmiii… MD5: 25aabd2540a1f7b… SOSiiifggfimceaa d ddoeecttteuecmcttteednd::t: RtRreieggsiii ssttottee rcrr oDDnLLvLLin wwceiiittth hv iss… SHA1: 85f6b809a81a361… DSDoiogccmuuma edenenttt e cccootnentdttaa:i iinRnsse aganins teemr DbbeLedLdd dweedidth VV sBB… Ransomware SHA256: efb29655c57e8dc… Miner Spreading DDooccuumeennttt ccoonntttaaiiinnss aann eembbeeddddeedd VVBB… Infos: mmaallliiiccciiioouusss DDooccuumeennttt ecexoxpnplltloaoiiittnt dsde eatttenec cetttemeddb ((e(ppdrrrodocecedes sVss…B malicious Evader Phishing sssuusssppiiiccciiioouusss suspicious Document exploit detected (process MDoaaccuhhmiiinnee n LLte eeaaxrrrpnnliioinnigtg d ddeeettteteeccctttetiiioodnn ( pfffoorrorr csseaasmspp… cccllleeaann Most interesting Screenshot: clean CMCooannctthtaaiiininness Lcceaaappraanbbiniiillliigitttii ieedsse ttteooc ddtieoettntee cfcottt rvv isiirrratttuumaap… Exploiter Banker CCrroreenaattatteeinss s aa c pparrrpooaccbeeislsistsi e iiinsn stsouu sdsppeeetenncddte evddi r mtuoao… Spyware Trojan / Bot DCDoroeccauutmesee nantt t p ccroonncttteaasiiinnss si n aa nsn u eesmpbebenedddededed dm VVoBB… Adware Score: 80 Range: 0 - 100 DDooccuumeennttt ccoonntttaaiiinnss aann eembbeeddddeedd VVBB… Whitelisted: false DDooccuumeennttt ccoonntttaaiiinnss eaemn bebemeddbddeeedddd VeVdBB AVA B … Confidence: 100% DDooccuumeennttt ccoonntttaaiiinnss nenomo ObeLLdEEd sesttdtrrre eVaaBmA … DDooccuumeennttt hchaoasns t aaninn usu nnkkonn oOowwLnEn aasptprppelllaiiiccmaatt tiii… MDoocnnuiiitttmoorrressn ccte ehrrratttaasiii nna nrrree uggniiissktttnrrryyo wkkeenyy ass p /// p vvlaiaclllauut…i PMPootttneeinntotttiiiraaslll dcdeoorcctuaumine ernenttgt eiesxxtprpylllo okiiittet dydese ttt/ee vccattteeludd… Startup PPoottteenntttiiiaalll ddooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd… PPoottteenntttiiiaalll ddooccuumeennttt eexxpplllooiiittt ddeettteeccttteedd… System is w10x64 WINWORD.EXE (PID: 6116 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINQPWouuteOerrrnRiiieetDissa . lttEt hhdXeeo E cvvu'o o/mllAluuemunteoet m eiiinnxafffpotoilrorromnit a a-dtEttieiioomtnenb c (((entnedaaddmin…g MD5: 0B9AB9B9C4DE429473D6450D4297A123) explorer.exe (PID: 6048 cmdline: explorer c:\users\public\valuePasteList.hta MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7) SQSeeuaaerrrcciehhsee stsh fffeoo rrrv ttothhleue m Meiiic cirrnroofsosoromfffttt a Otiuouttntllloo (oonkka fmff… explorer.exe (PID: 5316 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D) mshta.exe (PID: 4804 cmdline: 'C:\Windows\SysWOW64\mshta.exe' 'C:\Users\Public\vTSTarreriliieuaesersc P ttthooae slllsoot eaafoLddri s mtth.iihisests saMiiin'n i{gcg1 r DEoDs4LLo6LLf0sst BODu7tl-oFo1kC f3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3- 4B2E-88BF-4E770A288AF5} MD5: 7083239CE743FDB68DFC933B7308E80A) Tries to load missing DLLs regsvr32.exe (PID: 4864 cmdline: 'C:\Windows\System32\regsvr32.exe' c:\users\pUuTUbrssileeicss\ vataoa k lklunoneoaoPwdwa nmns twiweseLsebiibns btgb.rj rrpDoogwLw LsMseseDrrr 5uu:ss 4ee2rrr 6aaEgge7e…499F6A7346F0410DEAD0805586B) cleanup UUsseess caco okddneeo owobbnfff uuwsseccbaa tttbiiioornon w ttteesccehhrn nuiiiqsqueuere sas g (((…e Uses code obfuscation techniques ( Malware Configuration No configs have been found Yara Overview No yara matches Sigma Overview System Summary: Sigma detected: Register DLL with spoofed extension Signature Overview Copyright Joe Security LLC 2021 Page 5 of 49 • AV Detection • Compliance • Software Vulnerabilities • Networking • System Summary • Data Obfuscation • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection Click to jump to signature section AV Detection: Multi AV Scanner detection for submitted file Machine Learning detection for sample Software Vulnerabilities: Document exploit detected (process start blacklist hit) System Summary: Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) Document contains an embedded VBA macro with suspicious strings Data Obfuscation: Document contains an embedded VBA with many string operations indicating source code obfuscation Mitre Att&ck Matrix Initial Privilege Credential Lateral Command Network Access Execution Persistence Escalation Defense Evasion Access Discovery Movement Collection Exfiltration and Control Effects Valid Scripting 2 2 DLL Side- Process Masquerading 1 OS Query Registry 1 Remote Email Exfiltration Ingress Tool Eavesdrop on Accounts Loading 1 Injection 1 2 Credential Services Collection 1 Over Other Transfer 1 Insecure Dumping Network Network Medium Communication Default Exploitation for Boot or DLL Side- Disable or Modify LSASS Security Software Remote Data from Exfiltration Non- Exploit SS7 to Accounts Client Logon Loading 1 Tools 1 Memory Discovery 1 1 Desktop Removable Over Application Redirect Phone Execution 1 3 Initialization Protocol Media Bluetooth Layer Calls/SMS Scripts Protocol 2 Domain At (Linux) Logon Script Logon Script Virtualization/Sandbox Security Virtualization/Sandbox SMB/Windows Data from Automated Application Exploit SS7 to Accounts (Windows) (Windows) Evasion 1 Account Evasion 1 Admin Shares Network Exfiltration Layer Track Device Manager Shared Protocol 1 2 Location Drive Local At (Windows) Logon Script Logon Script