Malware Sample Inspected
Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
<?xml version="1.0" encoding="utf-8"?> | |
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.1.0</VersionEx> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> |
Trickbot COVID macro lure via MSFT: ec34b207d503a3c95ee743ee296a08e93a5e960aa4611ea8c39d8e5d4c5f6593
test.js
eval("WScript.CreateObject(\"WScript.Shell\").Run(\"calc.exe\");");
# Personal preference. I like landing on the Desktop | |
Set-Location $Env:USERPROFILE\Desktop | |
$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) | |
# If the current session is elevated, prefix the prompt with '[Admin]' | |
if ($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { | |
Set-Item -Path Function:\prompt -Value "`"[Admin] PS $($executionContext.SessionState.Path.CurrentLocation)$('>' * ($nestedPromptLevel + 1)) `"" | |
} |
# This script requires Win 10 Enterprise to run Get-SystemDriver, unfortunately. | |
# Note: Get-SystemDriver will take a long time if it has a lot of files and folders to recurse through. | |
$ScanPath = 'C:\Windows' | |
# All supported ECC signatures algorithms according to wincrypt.h in the SDK. | |
$ECCSignatureAlgorithms = @( | |
'1.2.840.10045.4.1', # szOID_ECDSA_SHA1 | |
'1.2.840.10045.4.3', # szOID_ECDSA_SPECIFIED | |
'1.2.840.10045.4.3.2', # szOID_ECDSA_SHA256 |
# Hex string taken from the "para" field of Audit-CVE event ID 1 event in the Application log | |
$EventParaString = '3081E0020101302C06072A8648CE3D0101022100A9FB57DBA1EEA9BC3E660A909D838D726E3BF623D52620282013481D1F6E5377304404207D5A0975FC2C3057EEF67530417AFFE7FB8055C126DC5C6CE94A4B44F330B5D9042026DC5C6CE94A4B44F330B5D9BBD77CBF958416295CF7E1CE6BCCDC18FF8C07B60441048BD2AEB9CB7E57CB2C4B482FFC81B7AFB9DE27E1E3BD23C23A4453BD9ACE3262547EF835C3DAC4FD97F8461A14611DC9C27745132DED8E545C1D54C72F046997022100A9FB57DBA1EEA9BC3E660A909D838D718C397AA3B561A6F7901E0E82974856A7020101' | |
# Convert the hex string to a byte array | |
[Byte[]] $EventParaBytes = $EventParaString -split '([0-9A-F]{2})' | Where-Object { $_ } | ForEach-Object { [Byte] "0x$_" } | |
# Save the byte array to disk | |
[IO.File]::WriteAllBytes("$PWD\ECCCurveParams.bin", $EventParaBytes) | |
# Use certutil to parse the ASN.1-encoded ECC curve parameters |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.0.0</VersionEx> | |
<BasePolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</BasePolicyID> | |
<PolicyID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyID> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:UMCI</Option> | |
</Rule> |
function Get-CodeIntegrityEvent { | |
<# | |
.SYNOPSIS | |
Returns code integrity event log audit/enforcement events in a more human-readable fashion. | |
.DESCRIPTION | |
Get-CodeIntegrityEvent retrieves and parses Microsoft-Windows-CodeIntegrity/Operational PE audit and enforcement events into a format that is more human-readable. This function is designed to facilitate regular code integrity policy baselining. |
<?xml version="1.0"?> | |
<SiPolicy xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:schemas-microsoft-com:sipolicy"> | |
<VersionEx>10.0.17689.0</VersionEx> | |
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID> | |
<PolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</PolicyID> | |
<BasePolicyID>{D2BDA982-CCF6-4344-AC5B-0B44427B6816}</BasePolicyID> | |
<Rules> | |
<Rule> | |
<Option>Enabled:Unsigned System Integrity Policy</Option> | |
</Rule> |
Module | Function | |
---|---|---|
C:\Windows\System32\advpack.dll | DelNodeRunDLL32W | |
C:\Windows\System32\advpack.dll | DelNodeRunDLL32A | |
C:\Windows\System32\advpack.dll | DelNodeRunDLL32 | |
C:\Windows\System32\ConnectedAccountState.dll | ActionCenterRunDllW | |
C:\Windows\System32\cryptcatsvc.dll | CatDbOfflineRebuildDatabasesRundll32W | |
C:\Windows\System32\cscui.dll | CSCOptions_RunDLLW | |
C:\Windows\System32\cscui.dll | CSCOptions_RunDLLA | |
C:\Windows\System32\cscui.dll | CSCOptions_RunDLL | |
C:\Windows\System32\devmgr.dll | DeviceProblenWizard_RunDLLW |
$Source = @' | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Text; | |
public class Win32Native { | |
[DllImport("kernel32.dll", CharSet = CharSet.Unicode, SetLastError = true)] | |
public static extern IntPtr LoadLibraryEx(string libFilename, IntPtr reserved, int flags); | |
[DllImport("kernel32.dll", CharSet = CharSet.Unicode)] |