LOL-Binary Copied From System Directory

 1title: LOL-Binary Copied From System Directory
 2id: f5d19838-41b5-476c-98d8-ba8af4929ee2
 3related:
 4    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 5      type: derived
 6status: test
 7description: |
 8        Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
 9references:
10    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
11    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
12    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
13    - https://www.virustotal.com/gui/file/14e722855605ba78dc1d21153f0e1be90e7528149f2cd2d7d6eba8ef27534bdc/behavior
14author: Nasreddine Bencherchali (Nextron Systems)
15date: 2023-08-29
16modified: 2025-11-27
17tags:
18    - attack.defense-evasion
19    - attack.t1036.003
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection_tools_cmd:
25        Image|endswith: '\cmd.exe'
26        CommandLine|contains: 'copy '
27    selection_tools_pwsh:
28        Image|endswith:
29            - '\powershell.exe'
30            - '\pwsh.exe'
31        CommandLine|contains:
32            - 'copy-item'
33            - ' copy '
34            - 'cpi '
35            - ' cp '
36    selection_tools_other:
37        - Image|endswith:
38              - '\robocopy.exe'
39              - '\xcopy.exe'
40        - OriginalFileName:
41              - 'robocopy.exe'
42              - 'XCOPY.EXE'
43    selection_target_path:
44        CommandLine|contains:
45            - '\System32'
46            - '\SysWOW64'
47            - '\WinSxS'
48    selection_target_lolbin:
49        CommandLine|contains:
50            # Note: add more binaries to increase coverage
51            - '\bitsadmin.exe'
52            - '\calc.exe'
53            - '\certutil.exe'
54            - '\cmdl32.exe'
55            - '\cscript.exe'
56            - '\mshta.exe'
57            - '\rundll32.exe'
58            - '\wscript.exe'
59            - '\ie4uinit.exe'
60    condition: 1 of selection_tools_* and all of selection_target_*
61falsepositives:
62    - Unknown
63level: high

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'geopol18.doc'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• SANNY Malware Delivery Method Updated in Recently Observed Attacks « SANNY Malware Delivery Method Updated in Recently Observed Attacks

  

  As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.

  
  Read More

• HTML Smuggling Leads to Domain Wide Ransomware

  

  We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved the…

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Suspicious Copy From or To System Directory
• Renamed Schtasks Execution
• Potential Defense Evasion Via Binary Rename
• Potential Defense Evasion Via Rename Of Highly Relevant Binaries
• Renamed Msdt.EXE Execution