Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

Analysis

  • max time kernel
    23s
  • max time network
    11651379494s
  • resource
    win10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TwoLayer.zip

  • Sample

    190926-jyftrj55ss

  • SHA256

    aa892cf3eb80b918469a8689eabb240b2ad50784e74885d9e277640e252bbbae

Score
N/A

Malware Config

Signatures

  • Loads dropped DLL
  • Drops file in system dir 2 IoCs
  • Adds Run entry to start application 2 TTPs 2 IoCs
    persistence
  • Modifies Internet Explorer settings 1 TTPs 63 IoCs
    adwarespyware
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Executes dropped EXE
  • Creates new service 1 TTPs
    persistence
  • Launches SC.exe
  • Windows firewall usage
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Suspicious use of SetWindowsHookEx
  • Suspicious use of NtSetInformationThreadHideFromDebugger
  • Suspicious use of FindShellTrayWindow
  • Uses Task Scheduler COM API 1 TTPs 6 IoCs
    persistence
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • flawedammy family
    family

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Drops file in system dir
    • Adds Run entry to start application
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:3616
  • C:\Program Files (x86)\SinTech\TextEdit.exe
    "C:\Program Files (x86)\SinTech\TextEdit.exe"
    1⤵
      PID:3084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3664
    • C:\Windows\SysWOW64\sc.exe
      sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
      1⤵
        PID:2436
      • C:\Windows\SysWOW64\sc.exe
        sc description Wlanspeed "Wlanspeed service"
        1⤵
          PID:2432
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
          1⤵
            PID:2984
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            1⤵
              PID:3964
            • C:\ProgramData\Wlanspeed\wlanspeed.exe
              "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
              1⤵
                PID:3908
              • C:\Program Files\Internet Explorer\iexplore.exe
                "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                1⤵
                • Modifies Internet Explorer settings
                • Suspicious use of WriteProcessMemory
                • Uses Task Scheduler COM API
                PID:3864
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3864 CREDAT:82945 /prefetch:2
                1⤵
                • Modifies Internet Explorer settings
                • Modifies system certificate store
                PID:4076
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3864 CREDAT:82948 /prefetch:2
                1⤵
                • Modifies Internet Explorer settings
                PID:3424

              Network

              MITRE ATT&CK Enterprise v15

              MITRE ATT&CK Additional techniques

              • T1060
              • T1050
              • T1031
              • T1130

              Replay Monitor

              Loading Replay Monitor...

              Downloads