Malware Analysis Report (AR20-133J)

MIFR-10027371-1.v2

Malware Initial Findings Report
10027371.r1.v2
2020-05-08

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

This report contains information obtained from automated analysis and is not intended to be a complete description of the submitted sample. Results may be limited due to the complexity of the samples, or due to the ability of the samples to defend against automated analysis techniques. If additional information is required, please contact the Cybersecurity and Infrastructure Security Agency (CISA) using the information provided at the end of this report.

This report contains preliminary analysis and is not intended to be a complete description of the submitted artifacts' capabilities. Results may be incomplete due to the artifacts' complexity or ability to defend against analysis techniques. If additional information is required, please contact the CISA Security Operations Center using the information at the end of this report.

Analysis Environment: 32_bit, windows_7

 

For a downloadable copy of IOCs, see MIFR-10027371-1.v2.stix.

Files (4)

6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081 (lte-2600.doc)

9ce4b68d9c400f63ccc9aa3e15589c3229da647a6cacfbd08aca877686429d36 (~$Normal.dotm)

9f4ac7e7e75b389d8bada52112b3a290e3c4765c3715c431bdb6a66f4f03aec9 (MSComctlLib.exd)

bc5255315d66e3ee04477292f381a3e949e22fa7f3f6eb44288b623adbffcc0c (message__E04B9B62207FCD83FD371...)

Findings

6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081

Tags

CVE-2012-0158droppertrojan

Details
Name lte-2600.doc
Size 429440 bytes
Type Composite Document File V2 Document, Little Endian, Os: Windows, Version 5.1, Code page: 936, Author: User, Template: Normal.dot, Last Saved By: User, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Sep 28 18:06:00 2006, Last Saved Time/Date: Thu Sep 28 18:09:00 2006, Number of Pages: 1, Number of Words: 5, Number of Characters: 35, Security: 0
MD5 7048add2873b08a9693a60135f978686
SHA1 08db4b8dc7c18133851774d687a9d2bcb993bffa
SHA256 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
SHA512 5a307987530dafaea66cc9e1d609b76f41b42befb7bb314b5cbb08f6da50d7e42d9e8e07c609ff50189ba43bf9464126fc41502d6c76c690bd2850df67e16800
ssdeep 6144:z13H72LltRPh3kKsVCU7wCkAW09zTVwwMBs1E4uukzIJrWrFdYNylsjpCiEU1NX:xH72Ll3h3kBz7wyXmzBJuCFluZX
Entropy 7.803456
Antivirus
Ahnlab DOC/Cve-2012-0158
ClamAV Doc.Exploit.CVE_2012_0158-17
Ikarus Exploit.CVE-2012-0158
McAfee Exploit-CVE2012-0158.bc
Microsoft Security Essentials Exploit:Win32/CVE-2012-0158
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
Quick Heal Exp.Shell.Gen.CH
Sophos Troj/MalDoc-Fam
Symantec Trojan.Mdropper
TACHYON Exploit/W97.CVE-2012-0158
TrendMicro TROJ_CV.428AEF91
TrendMicro House Call TROJ_CV.428AEF91
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
6ea86b944c... Dropped 9ce4b68d9c400f63ccc9aa3e15589c3229da647a6cacfbd08aca877686429d36
6ea86b944c... Dropped 9f4ac7e7e75b389d8bada52112b3a290e3c4765c3715c431bdb6a66f4f03aec9
Description

Process Tree:
- WINWORD.EXE 3952 (3996)

WINWORD.EXE (3952) API behavior:
NtCreateFile, C:\Users\user\AppData\Local\Temp\CVRE872.tmp
NtCreateFile, C:\Windows\Fonts\staticcache.dat
NtCreateFile, C:\Program Files\Microsoft Office\Office14\WINWORD.EXE.config
NtCreateFile, MountPointManager
NtCreateFile, C:\
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db
NtCreateFile, C:\Users\desktop.ini
NtCreateFile, C:\Users
NtCreateFile, C:\Users\user
NtCreateFile, C:\Users\user\Desktop\desktop.ini
NtCreateFile, C:\Users\user\AppData
NtCreateFile, C:\Users\user\AppData\Roaming
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\desktop.ini
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Templates
NtCreateFile, C:\Windows\system32\rsaenh.dll
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Templates\Normal.dotm
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4276AC53-FD70-44AA-99D5-6355F109C128}.tmp
NtCreateFile, C:\Windows\system32\en-US\MSCTF.dll.mui
NtCreateFile, C:\Users\user\AppData\Local
NtCreateFile, C:\Users\user\AppData\Local\Temp
NtCreateFile, C:\Users\user\AppData\Local\Temp\lte-2600.doc
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF8FE2E77AE5B5CEE0.TMP
NtCreateFile, C:\Users\user\AppData\Local\Temp\~$e-2600.doc
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{C52CDA7A-93BE-4139-A49A-877B0A7F16AF}.tmp
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DFEBD819AF8CE83CE8.TMP
NtCreateFile, C:\Users\user\AppData\Local\Temp\~DF01F2FD44E87A5989.TMP
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\review.rcd
NtCreateFile, C:\Users\user\AppData\Roaming\Microsoft\Office\adhoc.rcd
NtCreateFile, C:\Users\user\Searches\desktop.ini
NtCreateFile, C:\Users\user\Videos\desktop.ini
NtCreateFile, C:\Users\user\Pictures\desktop.ini
NtCreateFile, C:\Users\user\Contacts\desktop.ini
NtCreateFile, C:\Users\user\Favorites\desktop.ini
NtCreateFile, C:\Users\user\Music\desktop.ini
NtCreateFile, C:\Users\user\Downloads\desktop.ini
NtCreateFile, C:\Users\user\Documents\desktop.ini
NtCreateFile, C:\Users\user\Links\desktop.ini
NtCreateFile, C:\Users\user\Saved Games\desktop.ini
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\VBA\VBA7\VBE7.DLL
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.BUD
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\sendtoonenote.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\StdNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteNames.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNoteFilter.gpd
NtCreateFile, C:\Windows\system32\spool\DRIVERS\W32X86\3\SendToOneNote.ini
NtCreateFile, C:\Program Files\Microsoft Office\Office14\MSWORD.OLB
NtCreateFile, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{3BFBD9A6-7FE6-439A-B9F7-1C8C42FE6078}.tmp
NtCreateFile, C:\Windows\system32\stdole2.tlb
NtCreateFile, C:\PROGRA~1\COMMON~1\MICROS~1\VBA\VBA7\VBE7.DLL\3
NtCreateFile, C:\Users\user\AppData\Local\Temp\VBE
NtCreateFile, C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSO.DLL
NtCreateFile, C:\Users\user\AppData\Local\Temp\Word8.0
NtCreateFile, C:\Windows\system32\MSCOMCTL.OCX
NtCreateFile, C:\Users\user\AppData\Local\Temp\Word8.0\MSComctlLib.exd
NtCreateFile, C:\Users\user\AppData\Local\Temp\11102430.cvr

File activity:
write, C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
write, C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4276AC53-FD70-44AA-99D5-6355F109C128}.tmp
write, C:\Users\user\AppData\Local\Temp\~$e-2600.doc
write, C:\Users\user\AppData\Local\Temp\Word8.0\MSComctlLib.exd
write, C:\Users\user\AppData\Local\Temp\11102430.cvr
execute, "C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE" -x -s 1412

Registry activity:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems|h8:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages1033: O\x00f\x00f\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResourcesEnabledLanguages1033: O\x00n\x00\x00\x00
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageWORDFiles: 1193803785
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1193803825
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1193803826
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTT:
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems~h8:
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect: 1
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems=i8:
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1193803827
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductFiles: 1193803828
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\CommonReviewCycleReviewToken: {\x00A\x008\x007\x000\x007\x002\x004\x00A\x00-\x008\x00A\x004\x002\x00-\x004\x002\x003\x000\x00-\x009\x002\x003\x003\x00-\x006\x00B\x00F\x00C\x004\x00E\x004\x00D\x007\x002\x00E\x003\x00}\x00\x00\x00
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordPlace MRUMax Display: 25
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordFile MRUMax Display: 25
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageVBAFiles: 1193803777
write, HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004119110000000000000000F01FEC\UsageProductNonBootFiles: 1193803777
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTF: 0
write, HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\WordMTTA: 846

9ce4b68d9c400f63ccc9aa3e15589c3229da647a6cacfbd08aca877686429d36

Details
Name ~$Normal.dotm
Size 162 bytes
Type data
MD5 f14041e06557901465d25e359d33df5c
SHA1 32c5189861420ab334c99dfdc6adde113f6cc87b
SHA256 9ce4b68d9c400f63ccc9aa3e15589c3229da647a6cacfbd08aca877686429d36
SHA512 bf9648822404b45a69ca111d30aa86942428779a967b03627acf18a94fb06ea80d080c7ed3c4bd784e03941ad38e8274126136d058a5db447e929fe09d368f1e
ssdeep 3:2H/9lyX/3L7YMlbK7g7lxIt/fgllCtC/lXaO:wVSlxK7ghq/fglC8Fa
Entropy 2.418994
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
9ce4b68d9c... Dropped_By 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
Description

Process Tree:
- cmd.exe 2176 (3832)
- - cmd.exe 2316 (2176)

cmd.exe (2316) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

9f4ac7e7e75b389d8bada52112b3a290e3c4765c3715c431bdb6a66f4f03aec9

Details
Name MSComctlLib.exd
Size 147396 bytes
Type data
MD5 e31c5fbb74dc298cee49b6e9f23e8d35
SHA1 4058e8eefd839c34e1b338a4567d7983d4509838
SHA256 9f4ac7e7e75b389d8bada52112b3a290e3c4765c3715c431bdb6a66f4f03aec9
SHA512 07678d9d4ba52e7f0be126edc41d9a8d4efa527a057b076776f41b858108aded0c79a9e493c1056bd7e346f863b2b44f4a14a0b5986c8edacd4897b9eb590cb1
ssdeep 1536:oQY8yn+IGn0HQ18oe5dRySRVrbW+mxumOa5aWDVEuPumZC9ndbAFG4Ezn4e:odHBw1pSbbW+NmOa5xxWmZeKEp
Entropy 4.807015
Antivirus

No matches found.

YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
9f4ac7e7e7... Dropped_By 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
Description

Process Tree:
- cmd.exe 2352 (4000)
- - cmd.exe 3812 (2352)

cmd.exe (3812) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

bc5255315d66e3ee04477292f381a3e949e22fa7f3f6eb44288b623adbffcc0c

Tags

CVE-2012-0158trojan

Details
Name message__E04B9B62207FCD83FD371EC771D94AF8_xe_.eml
Size 582944 bytes
Type RFC 822 mail, ASCII text
MD5 2d0296ec3fb2408eef091a9e4f9be461
SHA1 96afdc9c4b435e137c45a532c92f0647f70df677
SHA256 bc5255315d66e3ee04477292f381a3e949e22fa7f3f6eb44288b623adbffcc0c
SHA512 4e999cfa3e1d538275a1dc7b5a3a8be2287bb9bb93a90c0ca10ae57da13a01b4b43ae0d231d2a663ead761fad8300a8a233da95d71887e6ed3612af73616c7af
ssdeep 12288:syBgcZm5enL9UPtx3xXdVDLxuKbF6LXSrGxG5X9SmRq+4IeMxzXj8PGJ:syBljnLKP7xrDLxuKbF62rT5X8ehxjj/
Entropy 5.940057
Antivirus
ClamAV Doc.Exploit.CVE_2012_0158-17
Ikarus Exploit.CVE-2012-0158
NANOAV Exploit.ComObj.CVE-2012-0158.hzuf
Quick Heal Exp.Shell.Gen.CH
TrendMicro TROJ_CV.428AEF91
TrendMicro House Call TROJ_CV.428AEF91
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Description

Process Tree:
- cmd.exe 2352 (4000)
- - cmd.exe 3812 (2352)

cmd.exe (3812) API behavior:
NtCreateFile, C:\Windows\Branding\Basebrd\Basebrd.dll

File activity:
execute, cmd.exe

Relationship Summary

6ea86b944c... Dropped 9ce4b68d9c400f63ccc9aa3e15589c3229da647a6cacfbd08aca877686429d36
6ea86b944c... Dropped 9f4ac7e7e75b389d8bada52112b3a290e3c4765c3715c431bdb6a66f4f03aec9
9ce4b68d9c... Dropped_By 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081
9f4ac7e7e7... Dropped_By 6ea86b944c8b5a9b02adc7aac80e0f33217b28103b70153710c1f6da76e36081

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No