#OfflRouter_211019

#IOC #OptiData #VR #OfflRouter #W97M #AutoOpen #macroworm #spreadbyanydoc

https://pastebin.com/mwt1seDE

previous_contact:
https://radetskiy.wordpress.com/2018/03/23/ioc_vba_d0c_worm_140318/

FAQ:
https://mobile.twitter.com/malwrhunterteam/status/999722052029501440
https://twitter.com/malwrhunterteam/status/999730366561865728/
https://www.csirt.gov.sk/aktualne-7d7.html?id=151

attack_vector
--------------
email attach .DOC > macro > Users\Public\ctrlpanel.exe

email_headers
--------------
n/a

files
--------------
SHA-256		-NDA-
File name	-NDA-.doc (initial infected doc)	[Microsoft Word 2007+]
File size	116.32 KB (119111 bytes)

SHA-256		10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8
File name	ctrlpanel.exe		[PE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly]
File size	34.5 KB (35328 bytes)

activity
**************
PL_SCR	- inside infected docm file

C2	- no ntwrk activity

netwrk
--------------
n/a	- no ntwrk activity

comp
--------------
n/a	- no ntwrk activity

proc
--------------
"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\operator\Desktop\-NDA-.doc" /o "u"
c:\Users\Public\ctrlpanel.exe

[another thread]

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding

-cycle-
search all .doc files
copy .doc to %temp%
inject macros and ctrlpanel.exe in %temp%
overwrite original files

persist
--------------
under_user - no persist

under_admin - broken persist by reg:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              22.10.2019 17:43
Ctrlpanel           File not found: c:\Users\Public.exe
c:\Users\Public

drop
--------------
c:\Users\Public\ctrlpanel.exe
%temp%\*.doc		- all DOC`s are injected

# # #

https://www.virustotal.com/gui/file/10e720fbcf797a2f40fbaa214b3402df14b7637404e5e91d7651bd13d28a69d8/details
https://analyze.intezer.com/#/analyses/509b542f-dd0e-4042-8e29-ea8c9dcddb09

VR

@