CyberThreatIntel/cybercriminal groups/TA505/04-10-2019/Malware
Analysis 04-10-2019.md at master · StrangerealIntel/CyberThreatIntel
By StrangerealIntel
Archived: 2026-04-06 00:25:45 UTC
Analysis of the new TA505 campaign
Table of Contents
Malware analysis
Cyber Threat Intel
Indicators Of Compromise (IOC)
References MITRE ATT&CK Matrix
Links
Original Tweet
Link Anyrun
The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as
primary window). As first action, this executes the module 1.
The function call in Module 1 create a Wscript object for change the current directory, show the fake message and push debug messages.
The userform execute the extract and execute a different PE instead of the architecture of the victim (x86 and x64).
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 1 of 11

As anti-forensic technique, this delete the files by call of kill functions.
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 2 of 11

We can note that a function is unused and seem to be a rest of the development of the macro.
The implant executed push all in memory with a call of VirtualAlloc function.
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 3 of 11

Once this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk).
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 4 of 11

This sends the informations to the C2 and wait for the next instruction of the group.
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 5 of 11

We can list the informations send in the following variables :
Variables Description
&D= Name of the computer
&U= Name of the user
&OS= Version of the OS
&PR= List of process (separed by %7C)
And is presented this way (extracted from the sandbox):
&D=User-PC&U=admin&OS=6.1&PR=Dwm.exe%7CEXCEL.EXE%7CExplorer.EXE%7Ctaskhost.exe%7Cwindanr.exe%7C
That interesting to note that the group get only the process for see if the victim have security messures (AV, endpoint...) before launch the next step.This drop the clop
ransomware if we observe the latest analysis on this subject.The group change currently the trust certificate for bypass the security messures that we can see on the analysis of
VK_Intel :
https://twitter.com/VK_Intel/status/1162810558774747137
https://twitter.com/VK_Intel/status/1157761784582983685
https://twitter.com/VK_Intel/status/1157742218549039105
https://twitter.com/VK_Intel/status/1155381658746589185
https://twitter.com/VK_Intel/status/1145041163839266823
https://twitter.com/VK_Intel/status/1136069755222335490
Cyber Threat Intel
Recently, new domains used by the group have been spotted by Suspicious Link. On the HTML document, we can see that the fake page usurps dropbox in using external
references and the path on the malicious excel document.
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 6 of 11

We can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia.
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 7 of 11

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 8 of 11

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 9 of 11

Cyber kill chain
The process graphs resume all the cyber kill chains used by the attacker.
References MITRE ATT&CK Matrix
List of all the references with MITRE ATT&CK Matrix
Enterprise tactics Technics used Ref URL
Execution Execution through Module Load https://attack.mitre.org/techniques/T1129/
Discovery Query Registry https://attack.mitre.org/techniques/T1012/
Indicators Of Compromise (IOC)
List of all the Indicators Of Compromise (IOC)
Indicator Description
147.135.204.64 IP C2
18.194.14.44 IP Requested
183.111.138.244 IP Requested
185.33.87.27 IP Requested
192.99.211.205 IP C2
3ee37a570cc968ca2ad5a99f920c9332 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053
44a20233b3c3b1defcd7484d241c5be6 09A887F08C7F252E642805DDFF5F1FDC390F675E603C994C3C
53b2c9d906fc9075fa375295c5bdcf5b 0776289CAC9F64211D5E5DDF14973157160DDCFBE2979D2E40
89c3a79864a0f0fa5a6cd3f87e8bd3271d1265b4d632bb32bb6be02425b4fe78 89C3A79864A0F0FA5A6CD3F87E8BD3271D1265B4D632BB32B
C:\Users\admin\AppData\Roaming{97B34601-5B4A-40AF-8963-
D8C75594998B} - 1.dll
0AF713AB3D6D17CD6B96D78FAC2677FE3B5B0051CF8B67347
C:\Users\admin\AppData\Roaming\module_p1.dll 57D29E8BA4D1C0ECAD75F2B9EEBEF757D872169C3270DABA
C:\Users\admin\AppData\Roaming\module_p2.dll C16D2A23A27C1E9EAE34D01613C4BAB0FE4871F1D8A72D5C
c6d17efb69bd4a7ac8f9dc11f810c30b 77D8E6C621EA96AF5A677397FE367DC60689D7F4F40B0A60A
Cheque.xls 375159A45823FF4EAFBA0C364209EB7C35B353E3C64B69978C
chogoon.com Domain Requested
doc 6172.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F
ed0cde28ce66713974e339715bdde62b CBAAB49338F8F2A9F56575702D9943A3DAFD78EF7812FABFF
f46e2c2925e6196fae3112fd0bcbb8c2 AD5910E44A63C0FC02376277D28D306A236CB87BCC0FA08B3
hxxps://chogoon[.]com/srt/gedp4 HTTP/HTTPS requests
hxxps://windows-wsus-en[.]com/version HTTP/HTTPS requests
Invoice 7173.xls BAEE4D4F8838CD7107977D960E4478279E9F321D21CB15126C
J_280586 D8EA1BAE84345D1A432E872811E9ECBCF84DE0BA6CB36053
LET 7833.xls 544154ED4B0495EBD44210AC6EAC4B5D7B9C9BE36B61D214
Letter 7711.xls E7379BB7A4B46E2378D5722FD2C8F4AE31A2AE15D5A900660
office365-update-eu.com Domain C2
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 10 of 11

Indicator Description
Receipt 0787.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F
Receipt 4685 YJLJ.xls 564CF47E84589D5E130E0502B403DF4E9648B9AFEA47372D0F
sample1.xls 6118EC7C0F06B45368DBD85B8F83958FC1F02F85E743F9CD82
sample4.XLS 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F2
windows-wsus-en.com Domain C2
Xerox Scan_84676113847687.XLS 8741346FB8D6C2F4CA80FA2B176F162AF620F86C5FFC895C84
Xerox.csv 566745CE483F3DC1744C757DD7348CE0844BAF5DB8CDF28F2
162.125.66.1 IP Requested
172.217.16.141 IP Requested
45.63.11.216 IP Requested
54.83.52.76 IP Requested
96.44.166.189 IP Requested
a78e87d350c8cf3f6d7db126c5fadd7d837aef23df01194fc0973561cd20818e.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194F
C:\Users\admin\AppData\Roaming\libMongo1.dll 4414195087F01719270AE41F45953139CAF2F24A10C96D56EB2
C:\Users\admin\Downloads\request.xls 34242C2D4A3EF625A6DA375B85B34A3FD3CAFB04442A43837
dropbox-download.com Domain Requested
hxxps://dropbox-download[.]com HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?05041770570340 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?05610068412737 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/?35277620367160 HTTP/HTTPS requests
hxxps://dropbox-download[.]com/download.php HTTP/HTTPS requests
request.xls A78E87D350C8CF3F6D7DB126C5FADD7D837AEF23DF01194F
windows-msd-update.com Domain C2
This can be exported as JSON format Export in JSON
Links
Original tweet:
https://twitter.com/James_inthe_box/status/1179077549302829056
https://twitter.com/KorbenD_Intel/status/1179858006584037377
https://twitter.com/58_158_177_102/status/1177498806016823296
https://twitter.com/killamjr/status/1181294324061003777
Links Anyrun:
Letter 7711.xls
REP 7072.xls
Source: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-20
19.md
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
Page 11 of 11

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md   
We can note that a function is unused and seem to be a rest of the development of the macro.
The implant executed push all in memory with a call of VirtualAlloc function. 
   Page 3 of 11

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md     
Once this, this checks the system informations, the process executed on the computer and try to detect if this run in a sandbox (low size of the disk).
  Page 4 of 11  

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md   
This sends the informations to the C2 and wait for the next instruction of the group. 
  Page 5 of 11

https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md   
We can see in more that the personal informations is like the Office of the Prime Minister of the Republic of Armenia.
  Page 7 of 11