# The campaign of FIN7 group continue
## Table of Contents
* [Malware analysis](#Malware-analysis)
* [Cyber kill chain](#Cyber-kill-chain)
* [Indicators Of Compromise (IOC)](#IOC)
* [References MITRE ATT&CK Matrix](#Ref-MITRE-ATTACK)
* [Links](#Links)
  + [Originals Tweets](#Original-Tweet)
  + [Link Anyrun](#Links-Anyrun)
  + [Documents](#Documents)
## Malware analysis <a name="Malware-analysis"></a>

## Cyber kill chain <a name="Cyber-kill-chain"></a>
###### The process graphs resume all the cyber kill chains used by the attacker. 
![alt text](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/Pictures/CyberKill.png)

## Indicators Of Compromise (IOC) <a name="IOC"></a>
###### List of all the Indicators Of Compromise (IOC)

|Indicator|Description|
| ------------- |:-------------|
|order.xlsb|2ba6709be053eb456c7fbe0c7e19196fefc7fe93afaea1e008c417aa6faeeeb3|
|umyhpakixg.txt|980b6ec3e3fc3d25af8273e8c85142c551875a472cc900e427b9c4cb87e59d39|
|e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls|e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790|
|moviedvdpower.com|Domain requested|
|31.3.232.105|IP requested|
|185.231.153.21|IP C2|

###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Russia/Cybercriminal%20group/FIN7/16-10-19/IOC-FIN7-16-10-19.json)	

## References MITRE ATT&CK Matrix <a name="Ref-MITRE-ATTACK"></a>
###### List of all the references with MITRE ATT&CK Matrix

|Enterprise tactics|Technics used|Ref URL|
| :---------------: |:-------------| :------------- |
|Defense Evasion|Scripting|https://attack.mitre.org/techniques/T1064/|
|Execution|Scripting|https://attack.mitre.org/techniques/T1064/|
|Defense Evasion|Install Root Certificate|https://attack.mitre.org/techniques/T1130/|
|Discovery|Query Registry|https://attack.mitre.org/techniques/T1012/|

## Links <a name="Links"></a>
###### Original tweet: 
* [https://twitter.com/Rmy_Reserve/status/1184142117284667393](https://twitter.com/Rmy_Reserve/status/1184142117284667393) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [e5ac4108d02499fbdb8e04aa8c42c3dd40cc6be02b4ceb12145075c8bd32b790.xls](https://app.any.run/tasks/f2454e33-3d31-48a4-b49a-1b5c50eb7182)
* [order.xlsb](https://app.any.run/tasks/43371f0f-35d0-4d1d-a0f3-4c8e41cd31c8)
###### Documents:
* [FIN7.5: the infamous cybercrime rig “FIN7” continues its activities](https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/)
* [Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques](https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html)