daily pastebin goal
63%
SHARE
TWEET

#xml_wsh_280319

VRad Mar 29th, 2019 (edited) 275 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. #IOC #OptiData #VR #APT #XML_RELS #WSH #EXE_Less #Recon
  2.  
  3. https://pastebin.com/kiSbFi36
  4.  
  5. attack_vector
  6. --------------
  7. email attach .ZIP > .PPSX > XML_RELS > GET > WSH > %temp%\tmp4E07.tmp > %userprofile%\NTUSR.DAT
  8.  
  9. email_headers
  10. --------------
  11. Received: from o1.31pqt.s2shared.stmpendgrid.net ([167.89.100.227])
  12. Received: by filter0029p3iad2.sendgrid.net
  13. Received: from OTQ2MjY1Mw (host-94-103-82-136.hosted-by-vdsina.ru [94.103.82.136]) by ismtpd0007p1lon1.sendgrid.net
  14. Date: Thu, 28 Mar 2019 12:46:31 +0000 (UTC)
  15. From: socis@socis.kiev.ua
  16. To: user00@victim01
  17. Subject: ПРЕС-РЕЛІЗ ЗА РЕЗУЛЬТАТАМИ СОЦІОЛОГІЧНОГО ДОСЛІДЖЕННЯ «ПРЕЗИДЕНТСЬКІ ВИБОРИ 2019-БЕРЕЗЕНЬ»
  18.  
  19. files
  20. --------------
  21. SHA-256     30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72
  22. File name   Prezent_UA_2k_berezen_PRESS.ppsx        [Microsoft PowerPoint 2007+]   
  23. File size   391.03 KB (400418 bytes)
  24.  
  25. SHA-256     360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f
  26. File name   wj5yuxmp.hmf                    [XML document, ASCII text, with very long lines, with CRLF]
  27. File size   272.7 KB (279242 bytes)
  28.  
  29. SHA-256     09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b
  30. File name   tmp4E07.tmp                 [ASCII text, with very long lines, with no line terminators]
  31. File size   270.93 KB (277430 bytes)
  32.  
  33. SHA-256     85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3
  34. File name   NTUSR.DAT                   [ASCII text, with very long lines, with no line terminators]
  35. File size   203.19 KB (208070 bytes)
  36.  
  37. activity
  38. **************
  39.  
  40. PL_SCR = C2 = 185.176.43.94
  41.  
  42. netwrk
  43. --------------
  44. 185.176.43.94   socis.cf    GET /wj5yuxmp.hmf   HTTP/1.1    Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64;)
  45. 185.176.43.94   tk99.gq     GET /           HTTP/1.1    Mozilla/5.0 (Windows NT 6.1; WOW64)
  46. 185.176.43.94   tk99.gq     POST /          HTTP/1.1    Mozilla/5.0 (Windows NT 6.1; WOW64)
  47. 185.176.43.94   tk99.gq     GET /           HTTP/1.1    Mozilla/5.0 (Windows NT 6.1; WOW64)
  48. 185.176.43.94   tk99.gq     POST /          HTTP/1.1    Mozilla/5.0 (Windows NT 6.1; WOW64)
  49. 185.176.43.94   tk99.gq     GET /           HTTP/1.1    Mozilla/5.0 (Windows NT 6.1; WOW64)
  50.  
  51. comp
  52. --------------
  53. POWERPNT.EXE    2844    TCP localhost   49232   185.176.43.94   80  ESTABLISHED
  54. wscript.exe 1104    TCP localhost   49224   185.176.43.94   80  ESTABLISHED
  55.  
  56. proc
  57. --------------
  58. C:\Program Files (x86)\Microsoft Office\Office12\POWERPNT.EXE /s C:\Users\operator\Desktop\Prezent_UA_2k_berezen_PRESS.ppsx
  59.  
  60. C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
  61. C:\Windows\system32\cmd.exe /c certutil -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT && timeout 10 && wscript.exe //B //E:vbs C:\tmp\NTUSR.DAT
  62.  
  63. C:\Windows\system32\certutil  -decode C:\tmp\tmp4E07.tmp C:\tmp\NTUSR.DAT
  64. C:\Windows\system32\timeout  10
  65.  
  66. C:\Windows\system32\wscript.exe  //B //E:vbs C:\tmp\NTUSR.DAT
  67. C:\Windows\System32\wscript.exe" //B //E:vbs "C:\Users\operator\NTUSR.DAT
  68. C:\Windows\System32\cmd.exe" /c mode con cp select=65001 | systeminfo > C:\tmp\radB50A0.tmp
  69. C:\Windows\system32\mode.com con cp select=65001
  70. C:\Windows\system32\systeminfo.exe
  71.  
  72. persist
  73. --------------
  74. HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run              29.03.2019 12:23   
  75. (Default)           c:\users\operator\ntusr.dat         29.03.2019 12:23   
  76. wscript.exe //B //E:vbs "C:\Users\operator\NTUSR.DAT"
  77.  
  78. drop
  79. --------------
  80. %temp%\tmp4E07.tmp
  81. %userprofile%\NTUSR.DAT
  82.  
  83. # # #
  84. https://www.virustotal.com/gui/file/30f568a18bb7f3ce2419cb3f7b4b8f7619072b211b24a9c462a6c312707d0a72/details
  85. https://www.virustotal.com/gui/file/360c967784e869cc5851b66b873f78341fbfee5fc8da367e58ba85882639c91f/details
  86. https://www.virustotal.com/gui/file/09c4c4df7657c89ae55529c916b19d6acdbb7ccc2112df03f99eb09e66d3ee5b/details
  87. https://www.virustotal.com/gui/file/85b8d699f0bc521a11a5e58e81cc6a39937adc341073177added1547ba39e0d3/details
  88. https://urlscan.io/result/83a3366e-12ee-4a6c-a326-a8eb19bc77c7
  89.  
  90. VR
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top