Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 1668
- * MalFamily: "Obfsobjdat"
- * MalScore: 10.0
- * File Name: "Docs_b8f612d289b9dc44404dfd6e06ef511e.doc"
- * File Size: 7172339
- * File Type: "Rich Text Format data, unknown version"
- * SHA256: "f138baa6bbf1d8a6b489bca3aa0308e08b1003e2f4a3be664b16e9dc8255bb1d"
- * MD5: "b8f612d289b9dc44404dfd6e06ef511e"
- * SHA1: "13b7c17fa90b4ad2f86e9aab28f29602018755dc"
- * SHA512: "47b7b226445d1fcfb5ce70465b00cf0b84163f85cd80e0011f6564799d932589d802d405bac67d405d4d15a234e4d82735ad45ffa0b00698765261ed2a696094"
- * CRC32: "A5F80AEC"
- * SSDEEP: "24576:DetDcFUeXpsNWPxNv4VGSYtgyRYcsAW97BOoDSKwIlVtV79Qck7M8iNV6qanqaIx:S"
- * Process Execution:
- "WINWORD.EXE",
- "svchost.exe",
- "EQNEDT32.EXE",
- "WmiPrvSE.exe",
- "svchost.exe",
- "WMIADAP.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding",
- "C:\\Users\\user\\AppData\\Roaming\\bab.exe"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "EQNEDT32.EXE, PID 2416"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "The RTF file has an unknown version",
- "Details":
- "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
- "Details":
- "created_process": "C:\\Users\\user\\AppData\\Roaming\\bab.exe"
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:1608"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$ywXIq0nkUgGf.doc"
- "Description": "File has been identified by 20 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Exploit.RTF-ObfsObjDat.Gen"
- "CAT-QuickHeal": "Exp.RTF.Obfus.Gen"
- "ALYac": "Exploit.RTF-ObfsObjDat.Gen"
- "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.E"
- "GData": "Exploit.RTF-ObfsObjDat.Gen"
- "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
- "BitDefender": "Exploit.RTF-ObfsObjDat.Gen"
- "Ad-Aware": "Exploit.RTF-ObfsObjDat.Gen"
- "TrendMicro": "HEUR_RTFMALFORM"
- "FireEye": "Exploit.RTF-ObfsObjDat.Gen"
- "Emsisoft": "Exploit.RTF-ObfsObjDat.Gen (B)"
- "MAX": "malware (ai score=81)"
- "Antiy-AVL": "TrojanExploit/RTF.Obscure.Gen"
- "Arcabit": "Exploit.RTF-ObfsObjDat.Gen"
- "ZoneAlarm": "HEUR:Exploit.MSOffice.Generic"
- "McAfee": "Exploit-cve2017-11882.cl"
- "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
- "Zoner": "Probably RTFObfuscationD"
- "Ikarus": "Exploit.CVE-2017-11882"
- "Qihoo-360": "susp.rtf.objupdate.c"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1",
- "Global\\ADAP_WMI_ENTRY",
- "Global\\RefreshRA_Mutex",
- "Global\\RefreshRA_Mutex_Lib",
- "Global\\RefreshRA_Mutex_Flag"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\mWywXIq0nkUgGf.doc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~$ywXIq0nkUgGf.doc",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRFFC4CF83D-B61F-4D92-98A9-D5A830366FA7.tmp",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\'<g",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\ProductNonBootFilesIntl_1033",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "plantorelaunch.com",
- "answers":
- * Domains:
- "ip": "192.185.54.30",
- "domain": "plantorelaunch.com"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement