From f0c7967bd7990c2a62afbcca60cf8ed1d96c518c Mon Sep 17 00:00:00 2001
From: StrangerealIntel <54320855+StrangerealIntel@users.noreply.github.com>
Date: Fri, 11 Oct 2019 15:55:39 +0200
Subject: [PATCH] Create Analysis.md

---
 Indian/APT/SideWinder/11-10-2019/Analysis.md | 42 ++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 Indian/APT/SideWinder/11-10-2019/Analysis.md

diff --git a/Indian/APT/SideWinder/11-10-2019/Analysis.md b/Indian/APT/SideWinder/11-10-2019/Analysis.md
new file mode 100644
index 0000000..8a74407
--- /dev/null
+++ b/Indian/APT/SideWinder/11-10-2019/Analysis.md
@@ -0,0 +1,42 @@
+# Analysis of the new TA505 campaign
+## Table of Contents
+* [Malware analysis](#Malware-analysis)
+* [Cyber Threat Intel](#Cyber-Threat-Intel)
+* [Cyber kill chain](#Cyber-kill-chain)
+* [Indicators Of Compromise (IOC)](#IOC)
+* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
+* [Links](#Links)
+  + [Original Tweet](#Original-Tweet)
+  + [Link Anyrun](#Links-Anyrun)
+
+## Malware analysis <a name="Malware-analysis"></a>
+###### The initial vector is a malicious excel file which used an XLM macro (macro v4). This uses a function for launch the payload when the excel windows is active (selected as primary window). As first action, this executes the module 1.
+![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/cybercriminal%20groups/TA505/04-10-2019/Images/Autoopen.PNG)
+
+## Cyber Threat Intel <a name="Cyber-Threat-Intel"></a>
+###### 
+## Cyber kill chain <a name="Cyber-kill-chain"></a>
+###### The process graphs resume all the cyber kill chains used by the attacker. 
+![alt text]()
+## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
+###### List of all the references with MITRE ATT&CK Matrix
+
+|Enterprise tactics|Technics used|Ref URL|
+| :---------------: |:-------------| :------------- |
+||||
+
+## Indicators Of Compromise (IOC) <a name="IOC"></a>
+###### List of all the Indicators Of Compromise (IOC)
+|Indicator|Description|
+| ------------- |:-------------:|
+|||
+
+###### This can be exported as JSON format [Export in JSON]()	
+
+## Links <a name="Links"></a>
+###### Original tweet: 
+* [https://twitter.com/Timele9527/status/1182587382626996224](https://twitter.com/Timele9527/status/1182587382626996224) <a name="Original-Tweet"></a>
+###### Links Anyrun: <a name="Links-Anyrun"></a>
+* [Letter 7711.xls](https://app.any.run/tasks/7cdd1bfc-f0a3-4dd6-a29c-5ed70a77e76c)
+###### Ressources:
+* [DotNetToJScript](https://github.com/tyranid/DotNetToJScript)