Oski Lab
CyberDefenders Threat Intel Lab
Scenario
The accountant at the company received an email titled “Urgent New Order” from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?
Because I am downloading a file, I will be opening this in an instance of Kali. Just to be safe.
Question 1
Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?
Answer 1
Using VirusTotal and looking at the details of the file, gave the creation time and date: 2022–09–28 17:40:46 UTC.
Question 2
Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?
Answer 2
Continuing to use VirusTotal, looking at the relations tab and seeing what the malware contracts, gives an IP address of the C2 server and even the file in which the C2 server is hosted on.
Question 3
Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?
Answer 3
There is a file that is requested from the attackers IP address. sqlite3.dll, which will more than likely be a vector for persistent access.
Question 4
By examining the provided Any.run report, what RC4 key is used by the malware to decrypt its base64-encoded string?
Answer 4
The Any.run report shows the key under the malware config header.
Question 5
By examining the MITRE ATT&CK techniques displayed in the Any.run sandbox report, identify the main MITRE technique (not sub-techniques) the malware uses to steal the user’s password.
Answer 5
Looking into the MITRE ATT&CK Matrix, the malware attempts to steal passwords from web browsers, giving me the answer: T1555.
Question 6
By examining the child processes displayed in the Any.run sandbox report, which directory does the malware target for the deletion of all DLL files?
Answer 6
Looking into the child process of VPN.exe, we can see it spawns a child process using cmd.exe. Calling for it to delete all dll files from C:\ProgramData
Question 7
Understanding the malware’s behavior post-data exfiltration can give insights into its evasion techniques. By analyzing the child processes, after successfully exfiltrating the user’s data, how many seconds does it take for the malware to self-delete?
Answer 7
The above screenshot gives full insights into how long it takes for the malware to self-delete. It uses the /t command with the parameter 5, to self-delete after 5 seconds.
Last updated