Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

Analysis

  • max time kernel
    58s
  • max time network
    11651379494s
  • resource
    win7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TwoLayer.zip

  • Sample

    190926-jyftrj55ss

  • SHA256

    aa892cf3eb80b918469a8689eabb240b2ad50784e74885d9e277640e252bbbae

Score
N/A

Malware Config

Signatures

  • Loads dropped DLL
  • Drops file in system dir 2 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 104 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Executes dropped EXE
  • Suspicious use of SetWindowsHookEx
  • Creates new service 1 TTPs
    persistence
  • Launches SC.exe
  • Windows firewall usage
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Modifies service 2 TTPs 14 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger
  • Drops desktop.ini 1 IoCs
  • Suspicious use of FindShellTrayWindow
  • Uses Task Scheduler COM API 1 TTPs 19 IoCs
    persistence
  • NTFS ADS 3 IoCs
  • flawedammy family
    family

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Drops file in system dir
    • Adds Run entry to start application
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:1100
  • C:\Program Files (x86)\SinTech\TextEdit.exe
    "C:\Program Files (x86)\SinTech\TextEdit.exe"
    1⤵
      PID:1392
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1060
    • C:\Windows\system32\conhost.exe
      \??\C:\Windows\system32\conhost.exe "-91694922911806575351988434580380671195435885121650546703-152938319412651495"
      1⤵
        PID:1072
      • C:\Windows\SysWOW64\sc.exe
        sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
        1⤵
          PID:1736
        • C:\Windows\SysWOW64\sc.exe
          sc description Wlanspeed "Wlanspeed service"
          1⤵
            PID:1992
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            1⤵
            • Modifies service
            PID:2040
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            1⤵
            • Modifies service
            PID:2028
          • C:\ProgramData\Wlanspeed\wlanspeed.exe
            "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
            1⤵
              PID:2004
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              1⤵
              • Modifies Internet Explorer settings
              • Suspicious use of WriteProcessMemory
              • Uses Task Scheduler COM API
              • NTFS ADS
              PID:1936
            • C:\Windows\System32\ie4uinit.exe
              "C:\Windows\System32\ie4uinit.exe" -ShowQLIcon
              1⤵
              • Modifies Internet Explorer settings
              • Drops desktop.ini
              PID:1776
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:275457 /prefetch:2
              1⤵
              • Modifies Internet Explorer settings
              PID:1984
            • C:\ProgramData\Wlanspeed\outst.exe
              "C:\ProgramData\Wlanspeed\outst.exe" -outid
              1⤵
                PID:2080
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:209928 /prefetch:2
                1⤵
                • Modifies Internet Explorer settings
                PID:2136
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1936 CREDAT:4011019 /prefetch:2
                1⤵
                  PID:2364

                Network

                MITRE ATT&CK Enterprise v15

                MITRE ATT&CK Additional techniques

                • T1060
                • T1050
                • T1031

                Replay Monitor

                Loading Replay Monitor...

                Downloads