Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: New Tool to Add to Your LOLBAS List: cvtres.exe SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
New Tool to Add to Your LOLBAS List: cvtres.exe

LOLBAS (“Living Off the Land Binaries And Scripts”) is a list of tools[1] that are present on any Windows system because they are provided by Microsoft as useful tools to perform system maintenance, updates, etc. This list is maintained and upgraded regularly. This is a good starting point when you need to investigate suspicious processes activity on a system (proactively or in forensics investigation).

I spotted a piece of malicious script (SHA256:d3a85fbecfc581e1113de2ec8c97e8e15f0c06e9a0f8628269221669f5ca9726) with a VT score of 10/57[2]. It launches a PowerShell script nicely obfuscated. The behavior is classic, it performs code injection but it also compiles some code on the fly. csc.exe is used to build a DLL:

csc.exe /noconfig /fullpaths @"C:\Users\user01\AppData\Local\Temp\8dfrgm9n.cmdline"

The .cmdline file contains:

\xfeff/t:library /utf8output /R:"System.dll" /R:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:"C:\Users\user01\AppData\Local\Temp\8dfrgm9n.dll" /debug- /optimize+ "C:\Users\user01\AppData\Local\Temp\8dfrgm9n.0.cs"

And the .cs file:

\xfeff using System; using System.Runtime.InteropServices; namespace pikl { public class jip { [Flags] public enum AllocationType { Commit = 14096-10000, Reserve = 8190+2 } [Flags] public enum MemoryProtection { ExecuteReadWrite = 60+4 } [Flags] public enum Time : uint { Infinite = 4294967294+1 } [DllImport("ker"+"nel"+"32.d"+"ll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("ke"+"rnel3"+"2.dl"+"l")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("k"+"ern"+"el32.dl"+"l")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds); } }

Then the script calls another tool from the .Net framework: cvtres.exe:

cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user01\AppData\Local\Temp\RES4D10.tmp" "c:\Users\user01\AppData\Local\Temp\CSC4D00.tmp"

What’s the purpose of this tool? CvtRes stands for "Convert Resource Files To COFF Objects". It converts ".res" resource files into Common Object File Format (COFF[3]) ".obj" object files that the linker can link into a finished ".exe" PE application file.

The malware tries to connect to certificates[.]updatecenter[.]icu but it does not resolve at this time.

So, cvtres.exe is a new tool to add to your LOLBAS list!

[1] https://lolbas-project.github.io
[2] https://www.virustotal.com/gui/file/d3a85fbecfc581e1113de2ec8c97e8e15f0c06e9a0f8628269221669f5ca9726/details
[3] https://en.wikipedia.org/wiki/COFF

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS London November 2021 - Live Online

Xme

645 Posts
ISC Handler
Oct 1st 2021

Sign Up for Free or Log In to start participating in the conversation!