Malware Analysis Report 05/13/2022

Malware Type: Backdoor Trojan

7 min readMay 14, 2022

IOCs(Indicators of Compromise):

vasumov.dat, vasumov.exe, avvenne.ini, destinata.ini, ora.exe.com, qual.ini, IP Address: 195.58.48.252, C2s: suqklp53.top, xxxp://moraub06.top/index.php, xxxp://cazars09.top/downfiles/lv.exe

File Information and Hashes:

Stage 1: Triage

A user attempted to torrent Microsoft Word. Crowdstrike Falcon detected the activity from the setup file that they downloaded. Instead of installing Microsoft Word it runs the following command from cmd.exe:

I opened a new PEStudio window and dropped setup.exe into the program:

It appears to be an executable with the magic hexadecimal “MZ”. It may have been written in Visual Studio 2003, it has the description of “intellilockDB” which is a type of packer, and the architecture type is “32-bit”. Interestingly, it also has a compiler-stamp of August 1st, 2020, 02:44:50 UTC. This may not be the true compile time, however.

Next, we look at the sections that are specified:

We can see here that the virtualized section “.ndata” it reading as 0x00000000 in raw-size and raw-address. The text section is where the code will execute. The size of the resource section indicates that we have some resources packed inside this executable.

Then, we go to the libraries. There are some libraries specified but we are missing the library for cryptography functions. Because this is a packed executable, there is most likely to be more libraries:

Now we will look at the functions to identify what this malware possibly does:

There are a lot of functions listed here, but I am going to explain some of the most notable ones:

· RegCreateKeyA — Creates a key in the registry

· RegEnumKeyA — Retrieves the name of the subkeys within the open registry key

· RegQueryValueExA — Queries the value of a specific registry key

· RegsetValueExA — Sets the value for a registry key

· RegCloseKey — Closes the current registry key

· RegDeleteKeyA — Deletes a registry key

· RegDeleteValueA — Deletes the value of a registry key

· AdjustTokenPrivileges- Checks an access token for privileges and adjusts them accordingly.

· SetFileSecurityA — Sets file security attributes

· SHGetFileInfoA- The SH part stands for shell, indicating that this function is for a shell command that gets information about a particular file.

· SHFileOperationA- Function that is run in a shell command that moves, copies, renames, or deletes a file.

· SHGetPathFromIDListA- Gets the path from a PIDL and converts it to a file system path.

· ShellExecuteA- Executes a command from the command line

· SetClipboardData- Places data in the clipboard

· PeekMessageA — Checks for incoming messages. Checks thread message queue. If a message exists, it is read.

· DispatchMessageA — Dispatches incoming sent messages retrieved by “GetMessage” function.

· CreatePopupMenu — Creates a drop-down menu, submenu, or shortcutmenu.

· LoadCursorA — Loads a cursor from the program’s cursor resources.

· GetWindowLongA — Gets information about a specific program window.

· ScreenToClient — Retrieves screen coordinates for the client to display.

· CloseClipboard — Closes the clipboard

· OpenClipboard — Open the clipboard

· GetSystemDirectoryA — Gets the system directory

· GetProcAddress — Gets the address for a specific ordinal

· MoveFileExA — Moves a file from one location to another

· ReadFile — Reads the specified file

· CreateProcessA — Creates a new process

· CreatesThread — Creates a thread for a specific process

· GetTempFileNameA — Gets the name of a temporary file.

· GetWindowsDirectoryA — Gets the main directory for Windows.

· Sleep — Suspends the process for a specified amount of time.

· LoadLibraryExA — Loads a specified library.

· SetEnvironmentVariableA — Sets the contents of the specified environment variable for the current process. Is used for evasion and obfuscation purposes.

· GetForegroundWindowA — Used to get a handle to the window that the user is currently working in

Now that these functions have been identified, let’s look at the strings:

Some notable strings here are:

· “Control Panel\Desktop\ResourceLocale”

· NSIS Error

· http://nsis.sf.net/NSIS Error

· Software\Microsoft\Windows\CurrentVersion

· .DEFAULT\Control Panel\International

· \Microsoft\Internet Explorer\Quick Launch

· 8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10

· DigiCert Inc1

· 210429000000Z

· 360428235959Z0i1

· IntelliLockDB

Next, we will look at version, which specifies the version of IntellilockDB that the sample loads:

Lastly, there is an overlay specified which is the installer that supposedly installs the malware or helps unpack some of its other files:

Let’s move onto the resources in Resource Hacker:

Notice in each section, there’s a resource. These can help us to identify it in a Yara rule along with the strings and other IOCs we find:

One other part of this file we can look at now is its digital signature. It specifies that it is signed by “Pango Inc.” but when we view the details, we see it is an invalid certificate:

Stage 2: Dynamic Analysis

For Dynamic Analysis I will use the following tools:

Regshot: Registry snapshot tool

FakeNet-NG — Network Capture Tool that acts as a fake DNS server

Wireshark — Network Capture Tool

Any.Run — Dynamic Analysis Sandbox

Process Monitor- Monitors all system activities that the file does

Process Explorer — Shows us what processes are opened and created

Once these are setup, I went ahead and double-clicked the executable. The first thing I noticed was that CMD was spawned into a new process, that dropped and ran another AutoIT script, as well as ping the network for an internet connection:

When I opened the pcap file inside Wireshark, I was unable to retrieve any information about the IP addresses or domains I received from Crowdstrike earlier. The VM is running in “Host-Only mode”, so it attempted to ping out:

A coworker of mine decided through use any.run to get the network traffic, and we were able to come back with IP addresses and domains:

Next, I analyzed the file operations to see what the malware had done. In this case, it dropped several files in C:\Users\Username\AppData\Roaming:

When I browse to the location, I see several more dropped files

The following registry keys were changed:

These registry keys were deleted:

If I attempt to open Ora.exe, I am instead asked to run a script:

This means that Ora.exe is AutoIT. IT is being used as a LoL Bin to make the malware portable.

If I open mie.ini in notepad, the code is obfuscated but it can still be understood:

This script gets the desktop name, sets a value, then pings the local host to see if it can connect out to the internet. Then it looks like it sets another value as an executable, and drops “avvenne.ini” into %APPDATA%, which gets outputted as Ora.exe.com. Then, it drops Destinata.ini and starts Ora.exe.com from %APPDATA%. Mie.ini appears to be a shell script. So I have gone ahead and renamed it to “Mie.bat”.

When I run Mie.bat, the following happens: