LOL-Binary Copied From System Directory

 1title: LOL-Binary Copied From System Directory
 2id: f5d19838-41b5-476c-98d8-ba8af4929ee2
 3related:
 4    - id: fff9d2b7-e11c-4a69-93d3-40ef66189767
 5      type: derived
 6status: experimental
 7description: |
 8        Detects a suspicious copy operation that tries to copy a known LOLBIN from system (System32, SysWOW64, WinSxS) directories to another on disk in order to bypass detections based on locations.
 9references:
10    - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120
11    - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
12    - https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/
13author: Nasreddine Bencherchali (Nextron Systems)
14date: 2023/08/29
15tags:
16    - attack.defense_evasion
17    - attack.t1036.003
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    selection_tools_cmd:
23        Image|endswith: '\cmd.exe'
24        CommandLine|contains: 'copy '
25    selection_tools_pwsh:
26        Image|endswith:
27            - '\powershell.exe'
28            - '\pwsh.exe'
29        CommandLine|contains:
30            - 'copy-item'
31            - ' copy '
32            - 'cpi '
33            - ' cp '
34    selection_tools_other:
35        - Image|endswith:
36              - '\robocopy.exe'
37              - '\xcopy.exe'
38        - OriginalFileName:
39              - 'robocopy.exe'
40              - 'XCOPY.EXE'
41    selection_target_path:
42        CommandLine|contains:
43            - '\System32'
44            - '\SysWOW64'
45            - '\WinSxS'
46    selection_target_lolbin:
47        CommandLine|contains:
48            # Note: add more binaries to increase coverage
49            - '\bitsadmin.exe'
50            - '\calc.exe'
51            - '\certutil.exe'
52            - '\cmdl32.exe'
53            - '\cscript.exe'
54            - '\mshta.exe'
55            - '\rundll32.exe'
56            - '\wscript.exe'
57    condition: 1 of selection_tools_* and all of selection_target_*
58falsepositives:
59    - Unknown
60level: high

References

• Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'geopol18.doc'

  Submit malware for free analysis with Falcon Sandbox and Hybrid Analysis technology. Hybrid Analysis develops and licenses analysis tools to fight malware.

  
  Read More

• SANNY Malware Delivery Method Updated in Recently Observed Attacks « SANNY Malware Delivery Method Updated in Recently Observed Attacks

  

  As part of recently observed attacks distributing SANNY malware, the threat actor has made significant changes to their usual malware delivery method.

  
  Read More

• HTML Smuggling Leads to Domain Wide Ransomware - The DFIR Report

  

  We’ve previously reported on a Nokoyawa ransomware case in which the initial access was via an Excel macro and IcedID malware. This case, which also ended in Nokoyawa Ransomware, involved … Read More

  
  Read More

Related rules

• Potential Defense Evasion Via Rename Of Highly Relevant Binaries
• Suspicious Copy From or To System Directory
• Windows Processes Suspicious Parent Directory
• Masquerading as Linux Crond Process
• Potential Defense Evasion Via Binary Rename