Analysis of a malicious DOC used by Turla APT group; hunting persistence via PowerShell
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Data Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Phishing - T1660 Phishing - T1566 Powershell - T1059.001 Tool - T1588.002 Powershell - T1086 Scripting - T1064 Scripting |
Common Information
| Type | Value |
|---|---|
| UUID | 3d5f1ce6-3590-4123-90f6-43810147d75c |
| Fingerprint | 809098b17a61130b |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Oct. 5, 2017, midnight |
| Added to db | Jan. 18, 2023, 7:32 p.m. |
| Last updated | Nov. 18, 2024, 1:38 a.m. |
| Headline | Some stuff about security.. |
| Title | Analysis of a malicious DOC used by Turla APT group; hunting persistence via PowerShell |
| Detected Hints/Tags/Attributes | 48/2/38 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 2 | blog.angelalonso.es |
|
| Details | Domain | 372 | wscript.shell |
|
| Details | Domain | 1 | r66bpjmgxxbo2h.run |
|
| Details | Domain | 9 | activedocument.save |
|
| Details | Domain | 74 | adodb.stream |
|
| Details | Domain | 1 | m3mh.open |
|
| Details | Domain | 15 | wscript.network |
|
| Details | Domain | 1 | kpxo.open |
|
| Details | Domain | 1 | we86.run |
|
| Details | Domain | 1 | wk2f.author |
|
| Details | Domain | 1 | r9ec.id |
|
| Details | Domain | 1 | www.saipadiesel124.com |
|
| Details | File | 323 | winword.exe |
|
| Details | File | 376 | wscript.exe |
|
| Details | File | 2127 | cmd.exe |
|
| Details | File | 1209 | powershell.exe |
|
| Details | File | 1 | malspam-campaign-exploiting-cve-2017.html |
|
| Details | File | 5 | vbscript.reg |
|
| Details | File | 2 | vuy5oj112flw51h6s.exe |
|
| Details | File | 3 | maintools.js |
|
| Details | File | 1 | c:\users\user1\appdata\roaming\microsoft\windows\maintools.js |
|
| Details | File | 3 | tmp.php |
|
| Details | File | 1 | gallery_create_page_field.php |
|
| Details | File | 17 | wow64.dll |
|
| Details | File | 41 | msxml2.xml |
|
| Details | File | 2 | dat.tmp |
|
| Details | File | 1 | principal.log |
|
| Details | File | 1 | xsm3.reg |
|
| Details | File | 1 | xsm3.settings |
|
| Details | File | 1 | w2cq.reg |
|
| Details | File | 1 | gk1h.mov |
|
| Details | File | 1 | c:\users\user1\appdata\local\microsoft\windows\maintools.js |
|
| Details | File | 7 | output.csv |
|
| Details | md5 | 2 | 2f532d6baec3d0ec7b1f98aed4774843 |
|
| Details | Url | 1 | http://blog.angelalonso.es/2017/08/malspam-campaign-exploiting-cve-2017.html |
|
| Details | Url | 1 | http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php","http://www.folk-cantabria.com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field.php |
|
| Details | Url | 1 | http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php |
|
| Details | Url | 1 | http://www.folk-cantabria.com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field.php |