Technical Information
Malicious functions
Downloads
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over464115\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over887166\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over455812\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over756734\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over160907\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over917358\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over174909\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over169860\v32.cab
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/office/data/v32.cab as %temp%\over263210\v32.cab
Modifies file system
Creates the following files
- <Current directory>\files\setup.exe
- %TEMP%\over174909\v32.cab
- %TEMP%\over917358\v32.txt
- %TEMP%\over917358\$dpx$.tmp\a0c3283e8877c047a873deffdabe6fca.tmp
- %TEMP%\over917358\v32.cab
- %TEMP%\over160907\v32.txt
- %TEMP%\over160907\$dpx$.tmp\4681c0353f705647b27da7f5394192e1.tmp
- %TEMP%\over160907\v32.cab
- %TEMP%\over756734\v32.txt
- %TEMP%\over756734\$dpx$.tmp\e439ff995980134faa1066a82ec26361.tmp
- %TEMP%\over756734\v32.cab
- %TEMP%\over455812\v32.txt
- %TEMP%\over455812\$dpx$.tmp\ef952c9f467ce64d88d7a836b14c8467.tmp
- %TEMP%\over174909\$dpx$.tmp\04b0502e8a971048b70f594fa9ccef4f.tmp
- %TEMP%\over455812\v32.cab
- %TEMP%\over887166\$dpx$.tmp\800702202adc13479b06daeb3c10ba71.tmp
- %TEMP%\over887166\v32.cab
- %TEMP%\over464115\v32.txt
- %TEMP%\over464115\$dpx$.tmp\7f2c7b30c77d394aab551ddc4014db52.tmp
- %TEMP%\over464115\v32.cab
- <Current directory>\files\configure.xml
- <Current directory>\files\x86\msvcr100.dll
- <Current directory>\files\x86\cleanospp.exe
- <Current directory>\files\x64\msvcr100.dll
- <Current directory>\files\x64\cleanospp.exe
- <Current directory>\files\uninstall.xml
- <Current directory>\files\files.dat
- %TEMP%\over887166\v32.txt
- %TEMP%\over174909\v32.txt
Deletes the following files
- <Current directory>\files\files.dat
- %TEMP%\over174909\v32.cab
- %TEMP%\over917358\versiondescriptor.xml
- %TEMP%\over917358\v32.txt
- %TEMP%\over917358\v32.cab
- %TEMP%\over160907\versiondescriptor.xml
- %TEMP%\over160907\v32.txt
- %TEMP%\over160907\v32.cab
- %TEMP%\over756734\versiondescriptor.xml
- %TEMP%\over756734\v32.txt
- %TEMP%\over756734\v32.cab
- %TEMP%\over455812\versiondescriptor.xml
- %TEMP%\over455812\v32.txt
- %TEMP%\over455812\v32.cab
- %TEMP%\over887166\versiondescriptor.xml
- %TEMP%\over887166\v32.txt
- %TEMP%\over887166\v32.cab
- %TEMP%\over464115\versiondescriptor.xml
- %TEMP%\over464115\v32.txt
- %TEMP%\over464115\v32.cab
- %TEMP%\over174909\v32.txt
- %TEMP%\over174909\versiondescriptor.xml
Moves the following files
- from %TEMP%\over464115\$dpx$.tmp\7f2c7b30c77d394aab551ddc4014db52.tmp to %TEMP%\over464115\versiondescriptor.xml
- from %TEMP%\over887166\$dpx$.tmp\800702202adc13479b06daeb3c10ba71.tmp to %TEMP%\over887166\versiondescriptor.xml
- from %TEMP%\over455812\$dpx$.tmp\ef952c9f467ce64d88d7a836b14c8467.tmp to %TEMP%\over455812\versiondescriptor.xml
- from %TEMP%\over756734\$dpx$.tmp\e439ff995980134faa1066a82ec26361.tmp to %TEMP%\over756734\versiondescriptor.xml
- from %TEMP%\over160907\$dpx$.tmp\4681c0353f705647b27da7f5394192e1.tmp to %TEMP%\over160907\versiondescriptor.xml
- from %TEMP%\over917358\$dpx$.tmp\a0c3283e8877c047a873deffdabe6fca.tmp to %TEMP%\over917358\versiondescriptor.xml
- from %TEMP%\over174909\$dpx$.tmp\04b0502e8a971048b70f594fa9ccef4f.tmp to %TEMP%\over174909\versiondescriptor.xml
Network activity
Connects to
- 'officecdn.microsoft.com':80
- 'of#######.#icrosoft.com.edgesuite.net':80
TCP
HTTP GET requests
- http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
- http://of#######.#icrosoft.com.edgesuite.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab
UDP
- DNS ASK officecdn.microsoft.com
- DNS ASK of#######.#icrosoft.com.edgesuite.net
Miscellaneous
Creates and executes the following
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over756734\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over160907\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over455812\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over917358\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over174909\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over887166\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '<Current directory>\files\files.dat' -y -pkmsauto
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over464115\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over756734\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over160907\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over917358\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over917358' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over169860\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over174909' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over160907' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over174909\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over160907\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over174909\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over917358\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f' (with hidden window)
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over756734' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over887166\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over169860\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over756734\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over464115' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over464115\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over464115\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over887166' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over887166\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over455812\v32.cab') }"' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over455812' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over455812\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over169860' (with hidden window)
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', '%TEMP%\over263210\v32.cab') }"' (with hidden window)
Executes the following
- '<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
- '<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over464115
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over887166
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over455812
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over756734
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over160907
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over917358
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over174909
- '%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over169860
- '%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over169860\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
