Picking up where we left off in the previous post, we're going to start off by executing the DLL. Based on the export function we saw in PEStudio, we'll pass the "DllRegisterServer" as the parameter in the command line to execute it.
Upon executing it, we observe two instances of rundll32.exe initiate.
Taking a look at the network traffic in fiddler, we observe quite a handful of network connections to varied IP addresses. This activity is likely associated, but this doesn't quite confirm it for sure.
I utilized RegShot to capture snapshots prior to and after detonating the sample, and noticed that the original file was deleted.
When I hovered over the rundll32 process in ProcessHacker, it pointed to the file path identified below, implying that the malware was running from a new location:
I grabbed that file and threw it into PeStudio to see if I could get any additional information, and to my pleasant surprise the hash matched that of the original DLL.
The file rewrote itself to a directory it created under C:\Users\[USER]\AppData\Local.
I took a look at the process strings in memory and did a cursory search for "http," and surprisingly got a long listing of IP addresses. If you recall, these IP addresses did not show up during the static analysis phase, implying that they were generated at runtime.
A finding was observed was when the initial file was detonated. After killing the rundll32 processes associated with it, it was observed that an instance of svchost.exe was calling out to one of the IPs generated by the malicious DLL. After terminating this instance of svchost.exe, it did not respawn.
When detonating the DLL from the new file write location, however, and after terminating the rundll32 processes associated with it, no instances of svchost.exe were observed calling out to any of the IPs associated with the sample. It is possible that the threat actor implemented this as a persistence mechanism in the event the initial DLL file was observed and terminated.
IOCs:
IP Addresses:
https://103[.]75[.]201[.]2/
https://51[.]38[.]71[.]0/
https://51[.]77[.]82[.]125/
https://45[.]118[.]135[.]203/
https://162[.]243[.]175[.]63/
https://192[.]254[.]71[.]210/
https://131[.]100[.]24[.]231/
https://45[.]118[.]115[.]99/
https://162[.]243[.]175[.]63/
https://50[.]116[.]54[.]215/
https://173[.]212[.]193[.]249/
https://138[.]185[.]72[.]26/
https://212[.]237[.]5[.]209/
https://69[.]197[.]160[.]180/
IPs (Full Strings):
https://51[.]77[.]82[.]125/QcTcrIBNUxWWUKGceShWZiRgcQNMrdFlntAgEWILpgfjqbAfB
https://162[.]243[.]175[.]63/djaUHJMpBbqgTHujJFEglOcifnxulnztJMqdqCLcLVYycdbQOHlxcYNa
https://50[.]116[.]54[.]215/pNijFT
https://45[.]118[.]115[.]99:8080/zoXxdNqOFSAsBOgaQZHhADQRvde
https://69[.]197[.]160[.]180:8080/pcxZxkotvdlfMJcfsHXXHRcmJIPJfMMYIoTXdJqEBOkKHAcXJcyd
https://212[.]237[.]5[.]209/jARtKLoRJcYjsMjEJKGENRomb
https://103[.]75[.]201[.]2/ruTKUaiILyruxqd
https://173[.]212[.]193[.]249:8080/yMyAurCrxb
https://45[.]118[.]135[.]203:7080/FemFSTBZR
https://51[.]38[.]71[.]0/fSXTMipWGlDhgeGLdVISLnvGOBtNnmZKTaRipmjOQjWOKbIQFjWmbqYFEliy
https://131[.]100[.]24[.]231:80/PeCllengiJNVEeqSsjJMEaBFCSIQTSAfuESektRgEnzcpuMMIEgO
https://138[.]185[.]72[.]26:8080/COQiEHbngIwcLDyVVdhuCmylhTIpZoAmQZqrEv
https://192[.]254[.]71[.]210/nKQMRYmsQyxvsRdieRkHJzGyYMPeGEOlXnjNbxtdlO
https://162[.]243[.]175[.]63/djaUHJMpBbqgTHujJFEglOcifnxulnztJMqdqCLcLVYycdbQOHlxcYNa
New File:
C:\Users\[USERNAME]\AppData\Local\*
Comments