Potential Compromised 3CXDesktopApp Execution

 1title: Potential Compromised 3CXDesktopApp Execution
 2id: 93bbde78-dc86-4e73-9ffc-ff8a384ca89c
 3related:
 4    - id: 3c4b3bbf-36b4-470c-b6cf-f07e8b1c7e26 # Proxy C2
 5      type: similar
 6    - id: 76bc1601-9546-4b75-9419-06e0e8d10651 # Proxy GH
 7      type: similar
 8    - id: bd03a0dc-5d93-49eb-b2e8-2dfd268600f8 # DNS C2
 9      type: similar
10    - id: 51eecf75-d069-43c7-9ea2-63f75499edd4 # net_connection C2
11      type: similar
12    - id: 63f3605b-979f-48c2-b7cc-7f90523fed88 # ProcCreation ChildProc
13      type: similar
14    - id: e7581747-1e44-4d4b-85a6-0db0b4a00f2a # ProcCreation Update
15      type: similar
16    - id: d0b65ad3-e945-435e-a7a9-438e62dd48e9 # ImageLoad
17      type: similar
18status: test
19description: Detects execution of known compromised version of 3CXDesktopApp
20references:
21    - https://www.reddit.com/r/crowdstrike/comments/125r3uu/20230329_situational_awareness_crowdstrike/
22author: Nasreddine Bencherchali (Nextron Systems)
23date: 2023-03-29
24modified: 2024-11-23
25tags:
26    - attack.defense-evasion
27    - attack.t1218
28    - attack.execution
29    - detection.emerging-threats
30logsource:
31    category: process_creation
32    product: windows
33detection:
34    selection_hashes:
35        Hashes|contains:
36            # 3CX Desktop 18.12.407
37            - 'SHA256=DDE03348075512796241389DFEA5560C20A3D2A2EAC95C894E7BBED5E85A0ACC'
38            - 'SHA256=54004DFAA48CA5FA91E3304FB99559A2395301C570026450882D6AAD89132A02'
39            - 'SHA256=D45674F941BE3CCA2FBC1AF42778043CC18CD86D95A2ECB9E6F0E212ED4C74AE'
40            - 'SHA1=480DC408EF50BE69EBCF84B95750F7E93A8A1859'
41            - 'SHA1=3B43A5D8B83C637D00D769660D01333E88F5A187'
42            - 'SHA1=6285FFB5F98D35CD98E78D48B63A05AF6E4E4DEA'
43            - 'MD5=BB915073385DD16A846DFA318AFA3C19'
44            - 'MD5=08D79E1FFFA244CC0DC61F7D2036ACA9'
45            - 'MD5=4965EDF659753E3C05D800C6C8A23A7A'
46            # 3CX Desktop 18.12.416
47            - 'SHA256=FAD482DED2E25CE9E1DD3D3ECC3227AF714BDFBBDE04347DBC1B21D6A3670405'
48            - 'SHA256=5D99EFA36F34AA6B43CD81E77544961C5C8D692C96059FEF92C2DF2624550734'
49            - 'SHA256=A60A61BF844BC181D4540C9FAC53203250A982E7C3AD6153869F01E19CC36203'
50            - 'SHA1=E272715737B51C01DC2BED0F0AEE2BF6FEEF25F1'
51            - 'SHA1=8433A94AEDB6380AC8D4610AF643FB0E5220C5CB'
52            - 'SHA1=413D9CBFCBF8D1E8304EAB0AA5484F5EEC5185F5'
53            - 'MD5=9833A4779B69B38E3E51F04E395674C6'
54            - 'MD5=704DB9184700481A56E5100FB56496CE'
55            - 'MD5=8EE6802F085F7A9DF7E0303E65722DC0'
56            # 3CXDesktopApp MSI
57            - 'SHA256=AA124A4B4DF12B34E74EE7F6C683B2EBEC4CE9A8EDCF9BE345823B4FDCF5D868'
58            - 'SHA256=59E1EDF4D82FAE4978E97512B0331B7EB21DD4B838B850BA46794D9C7A2C0983'
59            - 'SHA1=BEA77D1E59CF18DCE22AD9A2FAD52948FD7A9EFA'
60            - 'SHA1=BFECB8CE89A312D2EF4AFC64A63847AE11C6F69E'
61            - 'MD5=F3D4144860CA10BA60F7EF4D176CC736'
62            - 'MD5=0EEB1C0133EB4D571178B2D9D14CE3E9'
63    selection_pe_1:
64        - OriginalFileName: '3CXDesktopApp.exe'
65        - Image|endswith: '\3CXDesktopApp.exe'
66        - Product: '3CX Desktop App'
67    selection_pe_2:
68        FileVersion|contains: '18.12.'
69    condition: all of selection_pe_* or selection_hashes
70falsepositives:
71    - Legitimate usage of 3CXDesktopApp
72level: high