Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #OfflRouter #W97M #AutoOpen #macroworm #spreadbyanydoc
- https://pastebin.com/mwt1seDE
- previous_contact:
- https://radetskiy.wordpress.com/2018/03/23/ioc_vba_d0c_worm_140318/
- FAQ:
- https://mobile.twitter.com/malwrhunterteam/status/999722052029501440
- https://twitter.com/malwrhunterteam/status/999730366561865728/
- https://www.csirt.gov.sk/aktualne-7d7.html?id=151
- attack_vector
- --------------
- email attach .DOC > macro > Users\Public\ctrlpanel.exe
- email_headers
- --------------
- n/a
- files
- --------------
- SHA-256 -NDA-
- File name -NDA-.doc (initial infected doc) [Microsoft Word 2007+]
- File size 116.32 KB (119111 bytes)
- SHA-256 10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
- File name ctrlpanel.exe [PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
- File size 34.5 KB (35328 bytes)
- activity
- **************
- PL_SCR - inside infected docm file
- C2 - no ntwrk activity
- netwrk
- --------------
- n/a - no ntwrk activity
- comp
- --------------
- n/a - no ntwrk activity
- proc
- --------------
- "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\operator\Desktop\-NDA-.doc" /o "u"
- c:\Users\Public\ctrlpanel.exe
- [another thread]
- C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
- "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
- -cycle-
- search all .doc files
- copy .doc to %temp%
- inject macros and ctrlpanel.exe in %temp%
- overwrite original files
- persist
- --------------
- under_user - no persist
- under_admin - broken persist by reg:
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 22.10.2019 17:43
- Ctrlpanel File not found: c:\Users\Public.exe
- c:\Users\Public
- drop
- --------------
- c:\Users\Public\ctrlpanel.exe
- %temp%\*.doc - all DOC`s are injected
- # # #
- https://www.virustotal.com/gui/file/10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8/details
- https://analyze.intezer.com/#/analyses/509b542f-dd0e-4042-8e29-ea8c9dcddb09
- VR
- @
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement