LOL-Binary Copied From System Directory

 1title: LOL-Binary Copied From System Directory
 2id: f5d19838-41b5-476c-98d8-ba8af4929ee2
 3related:
 4    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 5      type: derived
 6status: test
 7description: |
 8        Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
 9references:
10    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
11    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
12    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023-08-29
15tags:
16    - attack.defense-evasion
17    - attack.t1036.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_tools_cmd:
23        Image|endswith: '\cmd.exe'
24        CommandLine|contains: 'copy '
25    selection_tools_pwsh:
26        Image|endswith:
27            - '\powershell.exe'
28            - '\pwsh.exe'
29        CommandLine|contains:
30            - 'copy-item'
31            - ' copy '
32            - 'cpi '
33            - ' cp '
34    selection_tools_other:
35        - Image|endswith:
36              - '\robocopy.exe'
37              - '\xcopy.exe'
38        - OriginalFileName:
39              - 'robocopy.exe'
40              - 'XCOPY.EXE'
41    selection_target_path:
42        CommandLine|contains:
43            - '\System32'
44            - '\SysWOW64'
45            - '\WinSxS'
46    selection_target_lolbin:
47        CommandLine|contains:
48            # Note: add more binaries to increase coverage
49            - '\bitsadmin.exe'
50            - '\calc.exe'
51            - '\certutil.exe'
52            - '\cmdl32.exe'
53            - '\cscript.exe'
54            - '\mshta.exe'
55            - '\rundll32.exe'
56            - '\wscript.exe'
57    condition: 1 of selection_tools_* and all of selection_target_*
58falsepositives:
59    - Unknown
60level: high

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'geopol18.doc'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• SANNY Malware Delivery Method Updated in Recently Observed Attacks « SANNY Malware Delivery Method Updated in Recently Observed Attacks

  

  As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.

  
  Read More

• HTML Smuggling Leads to Domain Wide Ransomware

  

  We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the…

  
  Read More

Related rules

• File Download Via Bitsadmin
• File Download Via Bitsadmin To A Suspicious Target Folder
• File Download Via Bitsadmin To An Uncommon Target Folder
• File With Suspicious Extension Downloaded Via Bitsadmin
• Masquerading as Linux Crond Process