sample information
| file name |
c11e2306a7926e55f4b2fcbbe7307690059572f1857724bd4aaa7974be6a4b56 |
| File size |
617.94 KB |
| file type |
Win32 EXE |
| MD5 |
997cf4517ee348ea771fd05f489c07fe |
| SHA1 |
8feb8992f700c7ff9e19f45d0c3fd820d71aa044 |
| CRC32 |
67DE9003 |
Table 1.1 Sample information
Analysis environment and tools
Environment: win7x86 bit
Tool: 010editor IDA Hash refobj OD
analysis target
Analyze malicious behavior and related functions of viruses.
Sample Behavior Analysis
Virustotal scans a 34/59 ratio to detect malicious behavior and determine that the document is malicious. ( This sample analysis report is earlier than 2019, and the current killing rate may be inconsistent with it)
Attack process:
Malicious documents mainly use package objects to embed malicious programs.
The Rtfobj tool extracts the package object and releases it automatically. The inserted Package object is actually a malicious Scriptletfile (.sct) script file and %tmp%\\mico-audio.exe.
Scriptletfile (.sct) script file.
The released .sct script file exploits the vulnerability to run %tmp%\\mico-audio.exe under the c drive. Release the PE file Crome.exe, copy itself, write registry entries, and execute the PE file.
Execute and create the file crome.exe to C:\Users\username\AppData\Roaming\google-Chrome\, pretend to be the google browser directory, and execute the corresponding file writing.
PE files run with remote access behavior.
Killing and preventive measures
Kill:
① At present, many security vendors can kill this malicious behavior, and the anti-virus software can be installed to complete the killing.
②Manual killing
- 1Delete Crome.exe under the specified directory C:\Users\username\AppData\Roaming\google-chrome\
- 2. The startup item disables the Crome.exe of the world icon
- 3. Delete the Chrome key value under L_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in the registry.
Precautions
①Update online; open Windows Update.
②Patch; Microsoft patch address: Security Update Guide - Microsoft Security Response Center