Unit42

Description

In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto's Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.

Summary

Firefox resolved and downloaded a file from uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com which was saved to the user’s Downloads folder as Preventivo24.02.14.exe.exe. The binary was executed by the local user, performed outbound network activity to 93.184.216.34:80, created multiple artifacts under AppData\Roaming and C:\Games, and used legitimate processes (firefox.exe, svchost.exe, msiexec.exe, mmc.exe) to replicate / hide before terminating.

Concepts

• Sysmon: Sysmon, or System Monitor, is a Windows system service and device driver that logs detailed system activity to the Windows event log to help detect malicious behavior. It monitors and logs events like process creations, network connections, and changes to the file system, providing deeper security insights than standard Windows logging. This allows administrators to analyze events to identify suspicious activity, understand how an attack unfolded, and investigate security incidents.

Events

❯ curl  -s https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon | grep -oP "Event ID \d{0,2}.*" | cut -d '<' -f1
Event ID 1: Process creation
Event ID 2: A process changed a file creation time
Event ID 3: Network connection
Event ID 4: Sysmon service state changed
Event ID 5: Process terminated
Event ID 6: Driver loaded
Event ID 7: Image loaded
Event ID 8: CreateRemoteThread
Event ID 9: RawAccessRead
Event ID 10: ProcessAccess
Event ID 11: FileCreate
Event ID 12: RegistryEvent (Object create and delete)
Event ID 13: RegistryEvent (Value Set)
Event ID 14: RegistryEvent (Key and Value Rename)
Event ID 15: FileCreateStreamHash
Event ID 16: ServiceConfigurationChange
Event ID 17: PipeEvent (Pipe Created)
Event ID 18: PipeEvent (Pipe Connected)
Event ID 19: WmiEvent (WmiEventFilter activity detected)
Event ID 20: WmiEvent (WmiEventConsumer activity detected)
Event ID 21: WmiEvent (WmiEventConsumerToFilter activity detected)
Event ID 22: DNSEvent (DNS query)
Event ID 23: FileDelete (File Delete archived)
Event ID 24: ClipboardChange (New content in the clipboard)
Event ID 25: ProcessTampering (Process image change)
Event ID 26: FileDeleteDetected (File Delete logged)
Event ID 27: FileBlockExecutable
Event ID 28: FileBlockShredding
Event ID 29: FileExecutableDetected
Event ID 255: Error

Resources

• https://github.com/WithSecureLabs/chainsaw

• https://github.com/SigmaHQ/sigma

• https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES.git

• https://github.com/EricZimmerman/evtx

Files & Artifacts

Hash	Name
697b7939d59f117e5ca4c90ab730658f	Microsoft-Windows-Sysmon-Operational.evtx

Indicators of Compromise (IOCs)

• Download domains: uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com

• Destination IP observed: 93.184.216.34 (port 80)

• Filenames / paths:

  • C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe

  • C:\Users\CYBERJ~1\AppData\Local\Temp\skZdsnwf.exe

  • C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\*

  • C:\Games\*

  • Preventivo24.02.14.exe.exe:Zone.Identifier

Chronological Attack Timeline

During the analysis of Microsoft-Windows-Sysmon-Operational.evtx, it was discovered that the binary Preventivo24.02.14.exe.exe was downloaded at 03:41:25 using Firefox by the user CyberJunkie from http://uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com/.

#❯ ./chainsaw hunt ../Microsoft-Windows-Sysmon-Operational.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml
❯ ./chainsaw dump ../Microsoft-Windows-Sysmon-Operational.evtx --json | jq '.[].Event | select( .System.EventID == 22) | .EventData'

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Dumping the contents of forensic artefacts from: ../Microsoft-Windows-Sysmon-Operational.evtx (extensions: *)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Done
{
  "RuleName": "-",
  "UtcTime": "2024-02-14 03:41:25.269",
  "ProcessGuid": "817BDDF3-3514-65CC-0802-000000001900",
  "ProcessId": 4292,
  "QueryName": "uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com",
  "QueryStatus": "0",
  "QueryResults": "type:  5 edge-block-www-env.dropbox-dns.com;::ffff:162.125.81.15;198.51.44.6;2620:4d:4000:6259:7:6:0:1;198.51.45.6;2a00:edc0:6259:7:6::2;198.51.44.70;2620:4d:4000:6259:7:6:0:3;198.51.45.70;2a00:edc0:6259:7:6::4;",
  "Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
  "User": "DESKTOP-887GK2L\\CyberJunkie"
}

At 03:41:56, CyberJunkie manually executed the binary, and at 03:41:57, a misconfiguration in msiexec.exe enabled achieved privilege escalation to NT Authority System via AlwaysInstallElevated.

❯ ./chainsaw dump ../Microsoft-Windows-Sysmon-Operational.evtx --json | jq '.[].Event | select( .System.EventID == 1) | .EventData'

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Dumping the contents of forensic artefacts from: ../Microsoft-Windows-Sysmon-Operational.evtx (extensions: *)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Done
{
  "RuleName": "technique_id=T1204,technique_name=User Execution",
  "UtcTime": "2024-02-14 03:41:56.538",
  "ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
  "ProcessId": 10672,
  "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
  "FileVersion": "1.1.2",
  "Description": "Photo and vn Installer",
  "Product": "Photo and vn",
  "Company": "Photo and Fax Vn",
  "OriginalFileName": "Fattura 2 2024.exe",
  "CommandLine": "\"C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe\"",
  "CurrentDirectory": "C:\\Users\\CyberJunkie\\Downloads\\",
  "User": "DESKTOP-887GK2L\\CyberJunkie",
  "LogonGuid": "817BDDF3-311E-65CC-A7AE-1B0000000000",
  "LogonId": "0x1baea7",
  "TerminalSessionId": 1,
  "IntegrityLevel": "Medium",
  "Hashes": "SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA",
  "ParentProcessGuid": "817BDDF3-311F-65CC-0A01-000000001900",
  "ParentProcessId": 1116,
  "ParentImage": "C:\\Windows\\explorer.exe",
  "ParentCommandLine": "C:\\Windows\\Explorer.EXE",
  "ParentUser": "DESKTOP-887GK2L\\CyberJunkie"
}
{
  "RuleName": "technique_id=T1218,technique_name=Signed Binary Proxy Execution",
  "UtcTime": "2024-02-14 03:41:57.905",
  "ProcessGuid": "817BDDF3-3685-65CC-3002-000000001900",
  "ProcessId": 10324,
  "Image": "C:\\Windows\\SysWOW64\\msiexec.exe",
  "FileVersion": "5.0.19041.3636 (WinBuild.160101.0800)",
  "Description": "Windows® installer",
  "Product": "Windows Installer - Unicode",
  "Company": "Microsoft Corporation",
  "OriginalFileName": "msiexec.exe",
  "CommandLine": "\"C:\\Windows\\system32\\msiexec.exe\" /i \"C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\main1.msi\" AI_SETUPEXEPATH=C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe SETUPEXEDIR=C:\\Users\\CyberJunkie\\Downloads\\ EXE_CMD_LINE=\"/exenoupdates  /forcecleanup  /wintime 1707880560  \" AI_EUIMSI=\"\"",
  "CurrentDirectory": "C:\\Users\\CyberJunkie\\Downloads\\",
  "User": "DESKTOP-887GK2L\\CyberJunkie",
  "LogonGuid": "817BDDF3-311E-65CC-A7AE-1B0000000000",
  "LogonId": "0x1baea7",
  "TerminalSessionId": 1,
  "IntegrityLevel": "Medium",
  "Hashes": "SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41",
  "ParentProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
  "ParentProcessId": 10672,
  "ParentImage": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
  "ParentCommandLine": "\"C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe\"",
  "ParentUser": "DESKTOP-887GK2L\\CyberJunkie"
}

After the execution, the following files were created:

❯ ./chainsaw dump ../Microsoft-Windows-Sysmon-Operational.evtx --json | jq '.[].Event | select( .System.EventID == 11)' | grep -B 1 -A 2 Games

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Dumping the contents of forensic artefacts from: ../Microsoft-Windows-Sysmon-Operational.evtx (extensions: *)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Done
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\c.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.389",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\cmmc.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.404",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\on.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.404",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\once.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.404",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\taskhost.exe",
    "CreationUtcTime": "2024-02-14 03:41:58.404",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
    "TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\viewer.exe",
    "CreationUtcTime": "2024-02-14 03:41:58.420",
    "User": "DESKTOP-887GK2L\\CyberJunkie"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\on.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.561",
    "User": "NT AUTHORITY\\SYSTEM"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\c.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.561",
    "User": "NT AUTHORITY\\SYSTEM"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\cmmc.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.577",
    "User": "NT AUTHORITY\\SYSTEM"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\viewer.exe",
    "CreationUtcTime": "2024-02-14 03:41:58.577",
    "User": "NT AUTHORITY\\SYSTEM"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\once.cmd",
    "CreationUtcTime": "2024-02-14 03:41:58.577",
    "User": "NT AUTHORITY\\SYSTEM"
--
    "Image": "C:\\Windows\\system32\\msiexec.exe",
    "TargetFilename": "C:\\Games\\taskhost.exe",
    "CreationUtcTime": "2024-02-14 03:41:58.592",
    "User": "NT AUTHORITY\\SYSTEM"

The analysis also indicated that Preventivo24.02.14.exe.exe established a connection to 93.184.216.34 .

❯ ./chainsaw dump ../Microsoft-Windows-Sysmon-Operational.evtx --json | jq '.[].Event | select( .System.EventID == 3) | .EventData'

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Dumping the contents of forensic artefacts from: ../Microsoft-Windows-Sysmon-Operational.evtx (extensions: *)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Done
{
  "RuleName": "technique_id=T1036,technique_name=Masquerading",
  "UtcTime": "2024-02-14 03:41:57.159",
  "ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
  "ProcessId": 10672,
  "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
  "User": "DESKTOP-887GK2L\\CyberJunkie",
  "Protocol": "tcp",
  "Initiated": true,
  "SourceIsIpv6": false,
  "SourceIp": "172.17.79.132",
  "SourceHostname": "-",
  "SourcePort": 61177,
  "SourcePortName": "-",
  "DestinationIsIpv6": false,
  "DestinationIp": "93.184.216.34",
  "DestinationHostname": "-",
  "DestinationPort": 80,
  "DestinationPortName": "-"
}

Finally, once the malicious file infected the system and replicated itself the process is terminated at 03:41:58

❯ ./chainsaw dump ../Microsoft-Windows-Sysmon-Operational.evtx --json | jq '.[].Event | select( .System.EventID == 5) | .EventData'

 ██████╗██╗  ██╗ █████╗ ██╗███╗   ██╗███████╗ █████╗ ██╗    ██╗
██╔════╝██║  ██║██╔══██╗██║████╗  ██║██╔════╝██╔══██╗██║    ██║
██║     ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║     ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║  ██║██║  ██║██║██║ ╚████║███████║██║  ██║╚███╔███╔╝
 ╚═════╝╚═╝  ╚═╝╚═╝  ╚═╝╚═╝╚═╝  ╚═══╝╚══════╝╚═╝  ╚═╝ ╚══╝╚══╝
    By WithSecure Countercept (@FranticTyping, @AlexKornitzer)

[+] Dumping the contents of forensic artefacts from: ../Microsoft-Windows-Sysmon-Operational.evtx (extensions: *)
[+] Loaded 1 forensic artefacts (1.1 MiB)
[+] Done
{
  "RuleName": "-",
  "UtcTime": "2024-02-14 03:41:58.795",
  "ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
  "ProcessId": 10672,
  "Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
  "User": "DESKTOP-887GK2L\\CyberJunkie"
}

Timeline

EventID	Timeline	Description
22	2024-02-14 03:41:25	DNS Query to uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com
11	2024-02-14 03:41:26.4	The file Preventivo24.02.14.exe.exe was written on disk
1	2024-02-14 03:41:56.5	Preventivo24.02.14.exe.exe was executed for the user.
3	2024-02-14 03:41:57.1	A connection was established to 93.184.216.34
1	2024-02-14 03:41:57.9	Preventivo24.02.14.exe.exe was executed by msiexec.exe achieving the Privilege Escalation
5	2024-02-14 03:41:58.7	The process has finished

Recommendations

• Isolate the host from the network immediately to stop C2 / data exfiltration.

• Collect the malicious binary and compute hashes (SHA256/MD5).

  Get-FileHash -Algorithm SHA256 "C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe"

• Upload hashes / sample to VirusTotal or a malware analysis service (if allowed by policy).

• Search for persistence:

  • Registry Run/RunOnce keys, Scheduled Tasks, Services, Winlogon/Browser helper objects.

  • Check C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\ and C:\Games\.

  • Use Autoruns for a fast sweep.

• Collect memory dumps of suspicious PIDs (firefox.exe, svchost.exe, msiexec.exe, and the PID for the malware) for artifact and injection analysis (Volatility / Rekall).

• Block IOCs at the perimeter / EDR: the Dropbox CDN subdomain pattern, the IP 93.184.216.34, and file hashes once available.

• Perform host recovery (reimage) if persistence is confirmed or if in-memory compromise is significant. Rotate credentials used from the host.