72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

General

Target

test.zip
Sample

190813-bzccs8gxyn
SHA256

72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score

N/A

Malware Config

Signatures

Loads dropped DLL 1 TTPs

Shared Modules
T1129

Drops file in system dir 2 IoCs

description
C:\Program Files (x86)\SinTech\TextEdit.exe
C:\Program Files (x86)\SinTech\TextEdit.exe.config

Adds Run entry to start application 2 TTPs 1 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (CreateKeyEx)

Modifies Internet Explorer settings 1 TTPs 12 IoCs

Modify Registry

T1112

description
\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\main (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"
\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Recovery (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"
\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main (CreateKeyEx)
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown_TIMESTAMP = 232ab69ccc22d401
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10TourShown = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10TourShownTime = f84268cb0c09d401
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"
\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceCompletionTime = f84268cb0c09d401

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 4060 wrote to memory of 4032	4032	Process not Found
PID 4060 wrote to memory of 3996	3996	Process not Found
PID 4060 wrote to memory of 2520	2520	Process not Found
PID 4060 wrote to memory of 3184	3184	Process not Found

Executes dropped EXE 1 TTPs

Native API
T1106
Creates new service 1 TTPs

Suspicious use of WriteProcessMemory 1 TTPs 4 IoCs

Process Injection

T1055

description	pid	Process
PID 3996 wrote to memory of 1564	1564	Process not Found
PID 3996 wrote to memory of 3496	3496	Process not Found
PID 3996 wrote to memory of 2560	2560	Process not Found
PID 3996 wrote to memory of 3236	3236	Process not Found

Launches SC.exe
Modifies Windows Firewall 1 TTPs
Modifies Windows Firewall 1 TTPs
Executes dropped EXE 1 TTPs

Native API
T1106
Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of NtSetInformationThreadHideFromDebugger 1 TTPs

Modifies Internet Explorer settings 1 TTPs 24 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\Isolation (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\BrowserEmulation (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\VersionManager (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3559602431"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30757390"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{754E5191-BDE9-11E9-A42E-5EB1F457467D} = "0"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{00000000-0000-0000-0000-000000000000} (DeleteValueKey)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\SearchScopesUpgradeVersion = "1"

Suspicious registry modification 3 IoCs

description
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"

Suspicious use of WriteProcessMemory 1 TTPs 1 IoCs

Process Injection

T1055

description	pid	Process
PID 1580 wrote to memory of 2100	2100	Process not Found

Suspicious use of SetWindowsHookEx 1 TTPs

Malicious domain 2 IoCs

description
rl.ammyy.com
www.kitai.jp

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

T1112

description
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Main (CreateKeyEx)
\REGISTRY\USER\S-1-5-21-2105198082-3159795503-3637859200-1000\Software\Microsoft\Internet Explorer\Toolbar (CreateKeyEx)

Suspicious use of SetWindowsHookEx 1 TTPs
Suspicious use of FindShellTrayWindow 1 TTPs

Process Injection
T1055
Uses Task Scheduler COM API 1 TTPs

Query Registry
T1012
Executes dropped EXE 1 TTPs

Native API
T1106
flawedammy family
family

Analysis

Sharing

General

Malware Config

Signatures

Processes