2020-03-12 - WORD DOC MACRO CAUSES A MALWARE INFECTION

ASSOCIATED FILES:

  • 2020-03-12-infection-IOCs.txt   (3,670 bytes)
  • 2020-03-12-infection-traffic.pcap   (10,574,029 bytes)
  • 020-03-12-HTTPS-traffic-to-105711.com.saz   (5,486,009 bytes)
  • Invoice.doc   (427,476 bytes)
  • MyImages/Louu6hbte.exe   (621,568 bytes)
  • MyImages/presskey.cmd   (22,213 bytes)
  • MyImages/presskey.jse   (160 bytes)
  • MyImages/presskey.jse4   (160 bytes)
  • MyImages/presskey.jse5   (338,244 bytes)
  • MyImages/presskey2.cmd   (160 bytes)
  • MyImages/tlofgkkjl15g5k.vbs   (0 bytes)
  • Roaming/Avex/ozkaar.zu   (0 bytes)
  • Roaming/Faaxho/pofiagq.biu   (956,907 bytes)
  • Roaming/Gabo/agcoxyob.yfzu   (268,800 bytes)
  • Roaming/Ifud/iwgoa.cea   (3,365,559 bytes)
  • Roaming/Ipdoud/fudoixaf.ono   (490,292 bytes)
  • Roaming/Reoxpi/ufko.wyudn   (318,882 bytes)
  • Roaming/Riov/koba.ru   (303,224 bytes)
  • Roaming/Ruyp/
  • Roaming/Tytiw/ozutpoow.exe   (1,267,712 bytes)
  • Roaming/Ycuvi/anzoa.zo   (1,968,439 bytes)
  • Roaming/Ykimxo/
  • Roaming/Ykyz/icgur.ugig   (130,560 bytes)

NOTES:

 

IMAGES


Shown above:  Word doc with macros to kick off this infection.

 


Shown above:  Artifacts created immediately after enabling macros.

 


Shown above:  Folders created in the infected user's AppData\Roaming directory.

 


Shown above:  Malware persistent on the infected Windows 10 host.

 


Shown above:  Traffic from the infection filtere din Wireshark.

 


Shown above:  HTTP request for a malware EXE.

 


Shown above:  DNS query to a UK domain followed by ICMP traffic to the address for that domain.

 


Shown above:  DNS query to an XYZ domain followed by attempted TCP connections.

 


Shown above:  Certificate issuer data for traffic to 105711[.]com.

 


Shown above:  Fiddler capture showing HTTPS traffic to 105711[.]com.

 

Click here to return to the main page.