Overview

overview

10

task1

 

10

task2

 

10

task3

 

10

task4

 

10

Resubmissions

02-12-2019 09:09

191202-3peefk1fgj 10

25-11-2019 09:33

191125-mlb76vzzln 0

13-11-2019 08:52

191113-bdf8dc3pq6 0

13-11-2019 07:11

191113-f1dft78f6s 0

13-11-2019 07:10

191113-591nb65hbx 0

30-10-2019 14:27

191030-9pe7klare6 0

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • resource
    win10v191014

Sharing

Copy URL
Twitter E-mail

General

  • Target

    test.zip

  • Sample

    191030-9pe7klare6

  • SHA256

    72b228f51cf5a1b7600f0e0848145e4e54e54838977a5a5b1c85f69b64b92cf5

Score
N/A

Malware Config

Signatures

  • Drops file in system dir 7 IoCs
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Launches SC.exe 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • flawedammy family
    familyflawedammy
  • Adds Run entry to start application 2 TTPs 1 IoCs
    persistence
  • Executes dropped EXE 3 IoCs
  • Windows firewall usage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Loads dropped DLL 1 IoCs
  • Creates new service 1 TTPs 1 IoCs
    persistence
  • Modifies Windows Firewall 1 TTPs 2 IoCs
    evasion
  • Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Drops file in system dir
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    • Adds Run entry to start application
    • Loads dropped DLL
    PID:4812
  • C:\Program Files (x86)\SinTech\TextEdit.exe
    "C:\Program Files (x86)\SinTech\TextEdit.exe"
    1⤵
    • Executes dropped EXE
    PID:4888
  • C:\Windows\SysWOW64\cmd.exe
    cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4908
  • C:\Windows\SysWOW64\sc.exe
    sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
    1⤵
    • Creates new service
    PID:4972
  • C:\Windows\SysWOW64\sc.exe
    sc description Wlanspeed "Wlanspeed service"
    1⤵
    • Launches SC.exe
    PID:4996
  • C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Windows firewall usage
    • Modifies Windows Firewall
    PID:5016
  • C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
    1⤵
    • Windows firewall usage
    • Modifies Windows Firewall
    PID:1540
  • C:\ProgramData\Wlanspeed\wlanspeed.exe
    "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Executes dropped EXE
    • Suspicious use of SetWindowsHookEx
    PID:2012
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:4040
  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:82945 /prefetch:2
    1⤵
    • Modifies system certificate store
    • Suspicious use of SetWindowsHookEx
    PID:3652
  • C:\Windows\system32\SppExtComObj.exe
    C:\Windows\system32\SppExtComObj.exe -Embedding
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4508
  • C:\Windows\System32\SLUI.exe
    "C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
    1⤵
      PID:4480
    • C:\ProgramData\Wlanspeed\outst.exe
      "C:\ProgramData\Wlanspeed\outst.exe" -outid
      1⤵
      • Executes dropped EXE
      PID:4596
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4040 CREDAT:82948 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:1984
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
      1⤵
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      PID:4900
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4900 CREDAT:82945 /prefetch:2
      1⤵
      • Suspicious use of SetWindowsHookEx
      PID:4780
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k netsvcs -s BITS
      1⤵
      • Drops file in system dir
      PID:2036
    • \??\c:\windows\system32\svchost.exe
      c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
      1⤵
        PID:3464
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
        1⤵
        • Checks system information in the registry (likely anti-VM)
        PID:300
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
        1⤵
        • Windows security modification
        PID:1900
      • \??\c:\windows\system32\svchost.exe
        c:\windows\system32\svchost.exe -k unistacksvcgroup
        1⤵
          PID:2172

        Network

        MITRE ATT&CK Enterprise v15

        MITRE ATT&CK Additional techniques

        • T1130
        • T1060
        • T1089
        • T1050
        • T1031

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2012-9-0x0000000004140000-0x0000000004141000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2012-8-0x0000000003F40000-0x0000000003F41000-memory.dmp

          Filesize

          4KB

          Download