Technical Information
Malicious functions
Creates and loads libraries (exploit)
- %APPDATA%\microsoft\windows\templates\scheduler_b.dll
Modifies file system
Creates the following files
- %HOMEPATH%\application data\microsoft\forms\winword.box
- %TEMP%\~wrd0000.tmp
- %TEMP%\videmem.docx.zip
- %TEMP%\~wrd0001.tmp
- %TEMP%\videmem.docx
- %TEMP%\oleobject1.bin
- %APPDATA%\microsoft\windows\templates\scheduler_b.dll
Moves the following files
- from %TEMP%\~wrd0000.tmp to %TEMP%\videmem.docx.zip
- from %TEMP%\~wrd0001.tmp to %TEMP%\videmem.docx
Network activity
TCP
- 'mi#####ft-hub-us.com':443
UDP
- DNS ASK mi#####ft-hub-us.com
Miscellaneous
Searches for the following windows
- ClassName: '' WindowName: 'Microsoft Office Components'
