wword.exe— Malware Analysis Report (Part 2)

In Part 1 of this post, I analyzed a suspicious word document named “China Navy First Training 2024(CN).docx” and extracted base64-encoded data that was planted in a presentation slide. I then converted it back to an executable format, and now we have a file named ‘wword.exe’.
Let’s examine this executable and try to get an idea of what it does.

Malware Overview

This malware is known by a few different names, according to VirusTotal.

wword.exe
download.exe
MWPAK
6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613.exe
6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613.exe.vir

VirusTotal states this malware has capabilities such as detecting debugging environments, long sleeps, calling WMI queries, etc.

File type

The malware is a Windows 64-bit PE.

andrew@ubuntu-desktop:~/Downloads/samples$ file wword.exe 
wword.exe: PE32+ executable (console) x86-64, for MS Windows

PEStudio

Opening the executable in PEStudio, we see some interesting information.

Compiler-stamp: Mon Jan 08 08:17:02 2024 | UTC
Architecture: 64-bit
SHA256: 6E4A4D25C2E8F5BACC7E0F1C8B538B8AD61571266F271CFDFC14725B3BE02613
Imphash:  e38fdd24a557560b44064de789e643b1 
Debug file: C:\Users\user\Documents\Project-M\Visual Studio\MW-PAK\x64\Release\MW-PAK.pdb

Having a look at the sections, mainly the raw-size versus virtual-size, there seem to be no indications of a packed executable. Detect It Easy has not detected any packers.

Strings

The total number of strings reported by PEStudio is 3948, too much to look at without some help.
A lot of the strings look like junk, so for this task, I employed FLOSS, and here are the useful strings that were extracted.

As we can see below, FLOSS successfully extracted a URL for us.
We also discover the executables capability to load other libraries at runtime using ‘LdrLoadDll’.
We can also see other libraries below that weren’t listed in PEStudio, such as ‘ntdll.dll’ and ‘Wininet.dll’.
We also see the use of the VirtualProtect function confirming the capability to modify memory protection, most likely for process injection.

───────────────────── 
 FLOSS TIGHT STRINGS 
───────────────────── 

syncscheduler[.]com
/r3diRecT/redirector/proxy.php
LdrLoadDll
ntdll.dll
Wininet.dll
InternetOpenA
InternetConnectA
HttpOpenRequestA
HttpAddRequestHeadersA
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.521.0 Safari/534.8 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.53 Safari/534.3
HttpSendRequestW
InternetReadFile
InternetCloseHandle
InternetSetOptionA
VirtualProtect

I also wanted to include the following WMI query that I found as a string. This query is known to be used for the purpose of detecting if the executable is being run inside a VM (see T1047).

SELECT * FROM Win32_ComputerSystemProduct

Outputs the following in a VirtualBox VM:
IdentifyingNumber : 0
Name              : VirtualBox
Vendor            : innotek GmbH
Version           : 1.2
Caption           : Computer System Product

Libraries

PEStudio lists 16 total libraries imported.

Capa

Capa confirms anti-static analysis capability. Having a closer look, I found the ‘IsDebuggerPresent’ API being used.

Capa also confirms the malware’s ability to execute shellcode via indirect call and read and write files, among other things.

Debug

In PEStudio, this executable displays some information in the debug tab. These could possibly be used as an IOC, as the debug file name appears to be unique.

SHA256: 7F76FA26DF36307D40EF926839B37C2BEA6A92B8DBB8B8BA2CC389B41627E45C
File: C:\Users\user\Documents\Project-M\Visual Studio\MW-PAK\x64\Release\MW-PAK.pdb

VirusTotal

VirusTotal shows us 18 detections. In the community tab, we can see that someone else has confirmed that this file is also named wword.exe. And we can see a couple sandboxes flagging this file as malicious.

Dynamic Analysis

Online Sandboxes

I decided to run this sample through two sandbox providers as I wasn’t getting the full picture.

• Hybrid Analysis report.
• Cuckoo Sandbox report.

Both sandboxes reported the file as malicious, but neither of them listed any network activity, which was strange because we extracted a URL in our static analysis, and we have proven that this executable has the capability to open new internet connections as it loads Wininet.dll dynamically during runtime.

Manual Blackboxing

I decided I’d try blackboxing the malware in my malware analysis lab.
While running Procmon and Wireshark, I executed the malware and monitored the output.

Wireshark

The first thing I discovered was a POST request to the URL we found earlier.

The POST request contained two form items.

Form Item: "uD" = "80F87EF3-97F4-49B3-B689-4AE1DB3F4DA1"
Form Item: "xifangtaiyang" = ""

• The first form item is ‘uD’ and is equal to a GUID inside the HardwareConfig key within the registry of my malware analysis box. This key contains information such as the make, model, and BIOS of the PC.

• The second form item only shows the key and has nothing set to the value. The key is ‘xifangtaiyang’ which translates to ‘western sun’ in Chinese.

As per the Wireshark screenshot, the server returned a 200 status, but this is because I had FakeNet set up. I wanted to see what would happen if I actually sent this exact POST request to the website.

After sending the POST request, I received a 200 status again and nothing else. To be honest, I was expecting some sort of payload in the response, but maybe this isn’t part of the C2’s function, or maybe I did something wrong.

If you visit hxxp[://]syncscheduler[.]com/r3diRecT/redirector/proxy.php in your browser (please be safe), you will be redirected to the China Government homepage.

Procmon

After seeing what the malware was doing in Procmon, I think I’ve drawn a conclusion about the type of malware we’re dealing with here.

Most of the activity of this malware involves querying, opening, and then closing either registry keys or directories.

I also noticed that the malware dropped the text file ‘index.txt’ in the directory ‘AppData\Roaming’. This text file is empty.

You can see our 3-way handshake with the C2 at the top of the screenshot, followed by a bunch of QueryDirectory operations. It seems like the malware is looking through all the directories in common folders such as onedrive, downloads, desktop, documents, etc.

Once the malware finishes reading through the directories, it closes the network connection with the C2 and issues a thread exit and process exit.
I wanted to note that the malware still remains running in Procexp and had to be manually closed.

IOCs

URL/IP

hxxp[://]syncscheduler[.]com/r3diRecT/redirector/proxy.php
 ↳ 146.70.80[.]58 
 ↳ 146.70.157[.]120 

Files

C:\Users\*USER*\AppData\Roaming\index.txt
C:\Users\user\Documents\Project-M\Visual Studio\MW-PAK\x64\Release\MW-PAK.pdb

Hashes

SHA256: 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613 
Imphash: e38fdd24a557560b44064de789e643b1 
SSDEEP: 3072:qzpAwgKHghdPfnirlU38P7TLQN5W3XkTWMydTKt09/2RcJbbqkoHGT9EaRPVfiso:mpHghdPm28P7INoI099vvTeUBAj 

Registry keys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-1713707619-2082378315-3023862978-1001\\Device\HarddiskVolume2\Users\*USER*\Desktop\wword.exe

Possible IPS/IDS IOCs

User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.521.0 Safari/534.8
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.53 Safari/534.3
Form Item: key: 'uD' &  value: '*LastConfig GUID*'
Form Item: key: 'xifangtaiyang' & value: ''

Conclusion

Judging from all the information we’ve gathered so far, I believe we are dealing with some sort of information or file stealer. Feel free to reach out to me on Twitter (@AndrewPetrus) for any questions or comments.