Trojan.DownLoader45.48951

Technical Information

Malicious functions

Downloads

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over781102\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over877666\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over236553\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over989413\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over447649\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over209363\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over936459\v32.cab
http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/office/data/v32.cab as %temp%\over751710\v32.cab

Modifies file system

Creates the following files

%TEMP%\7zipsfx.000\423down.url
%TEMP%\over236553\v32.txt
%TEMP%\over989413\v32.cab
%TEMP%\over989413\$dpx$.tmp\7b25b819a97f3d43aa585de9fc397ce2.tmp
%TEMP%\over989413\v32.txt
%TEMP%\over447649\v32.cab
%TEMP%\over447649\$dpx$.tmp\87c5e755e38d164392a14fc526e64a06.tmp
%TEMP%\over209363\v32.cab
%TEMP%\7zipsfx.000\files\x86\cleanospp.exe
%TEMP%\over209363\$dpx$.tmp\e98bc1bba7961946bf5b33b5539399cc.tmp
%TEMP%\over209363\v32.txt
%TEMP%\over936459\v32.cab
%TEMP%\over936459\$dpx$.tmp\48f7ff748b7c5e4db10b82688fae7406.tmp
%TEMP%\over936459\v32.txt
%TEMP%\over751710\v32.cab
%TEMP%\over236553\$dpx$.tmp\6cc72421a3d1dd4f96f855b630a04f97.tmp
%TEMP%\over236553\v32.cab
%TEMP%\over877666\v32.txt
%TEMP%\over877666\$dpx$.tmp\80cda8ee9d76064ca102eec9485057d0.tmp
%TEMP%\over877666\v32.cab
%TEMP%\over781102\v32.txt
%TEMP%\over781102\$dpx$.tmp\317bd50593215644bdc16063bc0573e0.tmp
%TEMP%\over781102\v32.cab
%TEMP%\7zipsfx.000\files\x86\msvcr100.dll
%TEMP%\over447649\v32.txt
%TEMP%\7zipsfx.000\files\x64\msvcr100.dll
%TEMP%\7zipsfx.000\files\x64\cleanospp.exe
%TEMP%\7zipsfx.000\files\uninstall.xml
%TEMP%\7zipsfx.000\files\files.dat
%TEMP%\7zipsfx.000\files\setup.exe
%TEMP%\7zipsfx.000\oinstall.exe
%TEMP%\7zipsfx.000\files\configure.xml
%TEMP%\over751710\$dpx$.tmp\3685d5802fdc954abe1f264091dd468a.tmp
%TEMP%\over751710\v32.txt

Deletes the following files

%TEMP%\7zipsfx.000\files\files.dat
%TEMP%\over751710\v32.cab
%TEMP%\over936459\versiondescriptor.xml
%TEMP%\over936459\v32.txt
%TEMP%\over936459\v32.cab
%TEMP%\over209363\versiondescriptor.xml
%TEMP%\over209363\v32.txt
%TEMP%\over209363\v32.cab
%TEMP%\over447649\versiondescriptor.xml
%TEMP%\over447649\v32.txt
%TEMP%\over447649\v32.cab
%TEMP%\over751710\v32.txt
%TEMP%\over989413\versiondescriptor.xml
%TEMP%\over989413\v32.cab
%TEMP%\over236553\versiondescriptor.xml
%TEMP%\over236553\v32.txt
%TEMP%\over236553\v32.cab
%TEMP%\over877666\versiondescriptor.xml
%TEMP%\over877666\v32.txt
%TEMP%\over877666\v32.cab
%TEMP%\over781102\versiondescriptor.xml
%TEMP%\over781102\v32.txt
%TEMP%\over781102\v32.cab
%TEMP%\over989413\v32.txt
%TEMP%\over751710\versiondescriptor.xml

Moves the following files

from %TEMP%\over781102\$dpx$.tmp\317bd50593215644bdc16063bc0573e0.tmp to %TEMP%\over781102\versiondescriptor.xml
from %TEMP%\over877666\$dpx$.tmp\80cda8ee9d76064ca102eec9485057d0.tmp to %TEMP%\over877666\versiondescriptor.xml
from %TEMP%\over236553\$dpx$.tmp\6cc72421a3d1dd4f96f855b630a04f97.tmp to %TEMP%\over236553\versiondescriptor.xml
from %TEMP%\over989413\$dpx$.tmp\7b25b819a97f3d43aa585de9fc397ce2.tmp to %TEMP%\over989413\versiondescriptor.xml
from %TEMP%\over447649\$dpx$.tmp\87c5e755e38d164392a14fc526e64a06.tmp to %TEMP%\over447649\versiondescriptor.xml
from %TEMP%\over209363\$dpx$.tmp\e98bc1bba7961946bf5b33b5539399cc.tmp to %TEMP%\over209363\versiondescriptor.xml
from %TEMP%\over936459\$dpx$.tmp\48f7ff748b7c5e4db10b82688fae7406.tmp to %TEMP%\over936459\versiondescriptor.xml
from %TEMP%\over751710\$dpx$.tmp\3685d5802fdc954abe1f264091dd468a.tmp to %TEMP%\over751710\versiondescriptor.xml

Network activity

Connects to

'officecdn.microsoft.com':80

TCP

HTTP GET requests

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab

UDP

DNS ASK officecdn.microsoft.com

Miscellaneous

Creates and executes the following

'%TEMP%\7zipsfx.000\oinstall.exe'
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over751710\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over447649\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%TEMP%\7zipsfx.000\files\files.dat' -y -pkmsauto
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over936459\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over781102\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over236553\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over989413\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over877666\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over209363\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over447649' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over209363' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over447649\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over751710\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over936459\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over447649\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over936459\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over209363\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over209363\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over989413' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over936459' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over751710' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over781102\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over781102\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over236553\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over989413\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over781102' (with hidden window)
'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over877666\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over877666' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over877666\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over236553\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over236553' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/v32.cab', '%TEMP%\over989413\v32.cab') }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -command "& { Get-Content %TEMP%\over751710\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }' (with hidden window)

Executes the following

'<SYSTEM32>\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
'<SYSTEM32>\cmd.exe' /D /c files.dat -y -pkmsauto
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over781102
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over877666
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over236553
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over989413
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over447649
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over209363
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over936459
'%WINDIR%\syswow64\expand.exe' v32.cab -F:VersionDescriptor.xml %TEMP%\over751710

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней