API tools faq
paste
VRad

#OfflRouter_080221

VRad
Feb 9th, 2021 (edited)
258
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.17 KB | None | 0 0
raw download clone embed print report
  1. #IOC #OptiData #VR #OfflRouter #W97M #AutoOpen #macroworm #spreadbyanydoc
  2.  
  3. https://pastebin.com/NLMQ6W1b
  4.  
  5. previous_contact:
  6. 21/10/19 https://pastebin.com/mwt1seDE
  7. 14/03/18 https://radetskiy.wordpress.com/2018/03/23/ioc_vba_d0c_worm_140318/
  8.  
  9. FAQ:
  10. https://mobile.twitter.com/malwrhunterteam/status/999722052029501440
  11. https://twitter.com/malwrhunterteam/status/999730366561865728/
  12. https://www.csirt.gov.sk/aktualne-7d7.html?id=151
  13.  
  14. attack_vector
  15. --------------
  16. email attach .DOC > macro > Users\Public\ctrlpanel.exe
  17.  
  18. email_headers
  19. --------------
  20. n/a
  21.  
  22. files
  23. --------------
  24. SHA-256 -NDA-
  25. File name -NDA-.doc (initial infected doc) [Microsoft Word 2007+]
  26. File size 199.34 KB (204122 bytes)
  27.  
  28. SHA-256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
  29. File name ctrlpanel.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
  30. File size 34.50 KB (35328 bytes)
  31.  
  32. activity
  33. **************
  34. PL_SCR - inside infected docm file
  35.  
  36. C2 - no ntwrk activity
  37.  
  38. netwrk
  39. --------------
  40. n/a - no ntwrk activity
  41.  
  42. comp
  43. --------------
  44. n/a - no ntwrk activity
  45.  
  46. proc
  47. --------------
  48. "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\operator\Desktop\-NDA-.doc" /o "u"
  49. c:\Users\Public\ctrlpanel.exe
  50.  
  51. [another thread]
  52.  
  53. C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  54. "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
  55.  
  56. -cycle-
  57. search all .doc files
  58. copy .doc to %temp%
  59. inject macros and ctrlpanel.exe in %temp%
  60. overwrite original files
  61.  
  62. persist
  63. --------------
  64. under_user - no persist
  65.  
  66. under_admin - broken persist by reg:
  67.  
  68. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 08.02.2021 17:43
  69. Ctrlpanel File not found: c:\Users\Public.exe
  70. c:\Users\Public
  71.  
  72. drop
  73. --------------
  74. c:\Users\Public\ctrlpanel.exe
  75. %temp%\*.doc - all DOC`s are injected
  76.  
  77. # # #
  78. https://www.virustotal.com/gui/file/10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8/details
  79. https://analyze.intezer.com/analyses/5ba1fd1c-2e33-46d8-8aa7-af4c819b3962
  80.  
  81. VR
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!