Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- * ID: 2388
- * MalFamily: "Obfsobjdat"
- * MalScore: 10.0
- * File Name: "Docs_ae9d8b9040d1ac21ea405a13bfd83bc2.doc"
- * File Size: 7890189
- * File Type: "Rich Text Format data, unknown version"
- * SHA256: "416b8b8c23b794b996e25bf24acd5744a65f81cbe628a70a5c66eb0b61bd0045"
- * MD5: "ae9d8b9040d1ac21ea405a13bfd83bc2"
- * SHA1: "813041f970b688f9f247f07bbef41c81b5e95091"
- * SHA512: "9fa2217c2e852469c334510bfb13aa3f97481bbeafd587ca78fca9f7ed2af56c301e51fdd2b1efb4452495a6c8e4d08e45837a2040b959ad519b17401b8da54c"
- * CRC32: "5FF12E27"
- * SSDEEP: "24576:4NxnW5KAo62cu95lqPhadif3DG2dkQRJQpqkJHK9Y46oOO8uMm2YwZF9stld1Y0a:0"
- * Process Execution:
- "WINWORD.EXE",
- "svchost.exe",
- "EQNEDT32.EXE",
- "WmiPrvSE.exe",
- "svchost.exe"
- * Executed Commands:
- "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding"
- * Signatures Detected:
- "Description": "SetUnhandledExceptionFilter detected (possible anti-debug)",
- "Details":
- "Description": "Possible date expiration check, exits too soon after checking local time",
- "Details":
- "process": "EQNEDT32.EXE, PID 2200"
- "Description": "Guard pages use detected - possible anti-debugging.",
- "Details":
- "Description": "The RTF file has an unknown version",
- "Details":
- "Description": "The EQNEDT32 equation process created a child process likely indicative of CVE-2017-11882 Office exploit",
- "Details":
- "created_process": ""
- "Description": "Stack pivoting was detected when using a critical API",
- "Details":
- "process": "svchost.exe:2424"
- "Description": "Creates a hidden or system file",
- "Details":
- "file": "C:\\Users\\user\\AppData\\Local\\Temp\\~$TazTkDE.doc"
- "Description": "File has been identified by 22 Antiviruses on VirusTotal as malicious",
- "Details":
- "MicroWorld-eScan": "Exploit.RTF-ObfsObjDat.Gen"
- "FireEye": "Exploit.RTF-ObfsObjDat.Gen"
- "CAT-QuickHeal": "Exp.RTF.Obfus.Gen"
- "ALYac": "Exploit.RTF-ObfsObjDat.Gen"
- "Arcabit": "Exploit.RTF-ObfsObjDat.Gen"
- "ESET-NOD32": "probably a variant of Win32/Exploit.CVE-2017-11882.E"
- "Kaspersky": "HEUR:Exploit.MSOffice.Generic"
- "BitDefender": "Exploit.RTF-ObfsObjDat.Gen"
- "Tencent": "Win32.Trojan.Multiple.Lqfd"
- "Ad-Aware": "Exploit.RTF-ObfsObjDat.Gen"
- "TrendMicro": "HEUR_RTFMALFORM"
- "McAfee-GW-Edition": "Exploit-cve2017-11882.cl"
- "Emsisoft": "Exploit.RTF-ObfsObjDat.Gen (B)"
- "MAX": "malware (ai score=83)"
- "Antiy-AVL": "TrojanExploit/RTF.CVE-2017-11882"
- "Microsoft": "Trojan:Script/Oneeva.A!ml"
- "ZoneAlarm": "HEUR:Exploit.MSOffice.Generic"
- "GData": "Exploit.RTF-ObfsObjDat.Gen"
- "McAfee": "Exploit-cve2017-11882.cl"
- "TACHYON": "Trojan-Exploit/RTF.CVE-2017-11882"
- "Zoner": "Probably RTFObfuscationD"
- "Ikarus": "Exploit.CVE-2017-11882"
- * Started Service:
- * Mutexes:
- "CicLoadWinStaWinSta0",
- "Local\\MSCTF.CtfMonitorInstMutexDefault1"
- * Modified Files:
- "C:\\Users\\user\\AppData\\Local\\Temp\\MKTazTkDE.doc",
- "C:\\Users\\user\\AppData\\Local\\Temp\\~$TazTkDE.doc",
- "C:\\Users\\user\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF7251B4F8-DA5B-4E58-823F-505AADF71DBF.tmp",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2PROVIDERSUBSYSTEM",
- "\\??\\PIPE\\samr",
- "C:\\Windows\\sysnative\\wbem\\repository\\WRITABLE.TST",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING1.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING2.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\MAPPING3.MAP",
- "C:\\Windows\\sysnative\\wbem\\repository\\OBJECTS.DATA",
- "C:\\Windows\\sysnative\\wbem\\repository\\INDEX.BTR",
- "\\??\\pipe\\PIPE_EVENTROOT\\CIMV2WMI SELF-INSTRUMENTATION EVENT PROVIDER"
- * Deleted Files:
- * Modified Registry Keys:
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Resiliency\\StartupItems\\5(u",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Word\\Security\\Trusted Documents\\LastPurgeTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingConfigurableSettings",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastSyncTime",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\15.0\\Common\\Roaming\\RoamingLastWriteTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\ProductNonBootFilesIntl_1033",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005119110000000000000000F01FEC\\Usage\\OUTLOOKFiles",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\Products\\00005109E60090400000000000F01FEC\\Usage\\EquationEditorFilesIntl_1033",
- "HKEY_CURRENT_USER\\Software\\Microsoft\\Equation Editor\\3.0\\Options",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\LastServiceStart",
- "HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Wbem\\Transports\\Decoupled\\Server",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\CreationTime",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\MarshaledProxy",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\Transports\\Decoupled\\Server\\ProcessIdentifier",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\ConfigValueEssNeedsLoading",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\CIMOM\\List of event-active namespaces",
- "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\WBEM\\ESS\\//./root/CIMV2\\SCM Event Provider"
- * Deleted Registry Keys:
- * DNS Communications:
- "type": "A",
- "request": "steeleassociates.com.au",
- "answers":
- * Domains:
- "ip": "69.195.124.141",
- "domain": "steeleassociates.com.au"
- * Network Communication - ICMP:
- * Network Communication - HTTP:
- * Network Communication - SMTP:
- * Network Communication - Hosts:
- * Network Communication - IRC:
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement