Most of the posts covered in this blog so far show the static analysis piece of documents, spreadsheets, and PDFs utilizing tools on REMnux. In this post, I'll demonstrate a quick dynamic analysis of an .xlsm file calling out to C2 infrastructure to download a TrickBot payload.
Taking a quick look with olevba in REMnux, we identify that the file contains possible commands as well as a potential C2 IP address:
From here, we move on to detonating this file with the appropriate tools running in the background to capture nefarious activity. After removing some of the default safeguards in place, we see that the file prompts us to enable macros:
Once we've done so, the file doesn't offer any additional disguise. No data is populated in the spreadsheet, but we observed a cmd terminal pop up on the screen:
We then see a window titled "http://87[.]251[.]85[.]100/love/love.html" also pop up on the tool bar. When we click on it, right now it's a blank window since our VM does not have connectivity to the internet proper.
Referencing the ProcessHacker process tree, we see that Excel did indeed spawn cmd, which then spawned mshta.
Looking at the memory strings or general information of each of those child processes, we see their commandlines corroborating with the IP we saw in olevba:
Based on the outputs of other tools, no file were observed to be written during this stage of the attack. This means that this entire stage operated in memory, outside of the original lure file.
Some may look at this and say, "well it generated a cmd shell window" or something along similar lines. While most of us that have a keen eye for anomalous activity on a computer would catch this and raise concern, the average computer user would not. They may have been conditioned to associate the blank command shell with possible administrative activity or otherwise normal behavior. This stage of the malware also does not hinder the user from performing other tasks, meaning it doesn't draw attention. Malware developers have become stealthier, and it's important to remember as members and "guardians" in the DFIR community, the majority of computer users across the globe don't do what we do and don't see what we see.
IOCs
IPs:
http://87[.]251[.]85[.]100/love/love.html
File Hash:
00ac480eb8e89d69c6f7ad4b701801d4834aa3d9afbade4f3bb6701be52d5336
Virus Total Links:
Comments