Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

Resubmissions

02-12-2019 09:09

191202-3peefk1fgj 10

25-11-2019 09:33

191125-mlb76vzzln 0

13-11-2019 08:52

191113-bdf8dc3pq6 0

13-11-2019 07:11

191113-f1dft78f6s 0

13-11-2019 07:10

191113-591nb65hbx 0

30-10-2019 14:27

191030-9pe7klare6 0

Analysis

  • max time kernel
    146s
  • max time network
    144s
  • resource
    win7v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Sample

    191030-9pe7klare6

  • SHA256

    72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score
N/A

Malware Config

Signatures

  • Suspicious use of WriteProcessMemory 12 IoCs
  • Creates new service 1 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Launches SC.exe 1 IoCs
  • Windows firewall usage 2 IoCs
  • flawedammy family
    familyflawedammy
  • Drops file in system dir 2 IoCs
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    • Modifies Internet Explorer settings
    • Loads dropped DLL
    • Drops file in system dir
    • Adds Run entry to start application
    PID:1136
  • C:\Program Files (x86)\SinTech\TextEdit.exe
    "C:\Program Files (x86)\SinTech\TextEdit.exe"
    1⤵
    • Executes dropped EXE
    PID:844
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1288
  • C:\Windows\system32\conhost.exe
    \??\C:\Windows\system32\conhost.exe "1102977607461903157-123113329-7779327265908737251670542360-14339442551971359344"
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1264
  • C:\Windows\SysWOW64\sc.exe
    sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
    1⤵
    • Creates new service
    PID:1332
  • C:\Windows\SysWOW64\sc.exe
    sc description Wlanspeed "Wlanspeed service"
    1⤵
    • Launches SC.exe
    PID:1740
  • C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Modifies Windows Firewall
    • Windows firewall usage
    PID:1472
  • C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Modifies Windows Firewall
    • Windows firewall usage
    PID:1036
  • C:\ProgramData\Wlanspeed\wlanspeed.exe
    "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetWindowsHookEx
    • Executes dropped EXE
    PID:1976
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:1740
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:1472
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:865286 /prefetch:2
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2176
  • C:\ProgramData\Wlanspeed\outst.exe
    "C:\ProgramData\Wlanspeed\outst.exe" -outid
    1⤵
    • Executes dropped EXE
    PID:2224
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    • Modifies Internet Explorer settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of FindShellTrayWindow
    PID:2412
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275457 /prefetch:2
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2468
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2412 CREDAT:275462 /prefetch:2
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2616

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

  • T1050
  • T1031
  • T1060

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1976-10-0x00000000037E0000-0x00000000037F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1976-11-0x00000000039E0000-0x00000000039F1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2176-41-0x0000000004B90000-0x0000000004B92000-memory.dmp

    Filesize

    8KB

    Download