Overview

overview

10

Static

static

8

test/91B5D...9D.msi

windows7_x64

8

test/91B5D...9D.msi

windows10-2004_x64

1

test/ed01e...aa.exe

windows7_x64

10

test/ed01e...aa.exe

windows10-2004_x64

10

test/fe9d7...8f.exe

windows7_x64

10

test/fe9d7...8f.exe

windows10-2004_x64

10

test/main.exe

windows7_x64

1

test/main.exe

windows10-2004_x64

10

test/main_temp.exe

windows7_x64

1

test/main_temp.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    27s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-ja-20211208
  • submitted
    19-01-2022 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

  • Size

    3.6MB

  • MD5

    743a6891999db5d7179091aba5f98fdb

  • SHA1

    eeca4b8f88fcae9db6f54304270699d459fb5722

  • SHA256

    fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f

  • SHA512

    9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96

Score
10/10
flawedammyyevasionpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer Automatic Crash Recovery
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Program Files (x86)\SinTech\TextEdit.exe
      "C:\Program Files (x86)\SinTech\TextEdit.exe"
      2⤵
      • Executes dropped EXE
      PID:800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\sc.exe
        sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
        3⤵
          PID:1944
        • C:\Windows\SysWOW64\sc.exe
          sc description Wlanspeed "Wlanspeed service"
          3⤵
            PID:632
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            3⤵
              PID:1316
          • C:\ProgramData\Wlanspeed\wlanspeed.exe
            "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
            2⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1104
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
            2⤵
              PID:1544

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/516-54-0x0000000074EB1000-0x0000000074EB3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/800-63-0x0000000000240000-0x0000000000246000-memory.dmp

            Filesize

            24KB

            Download

          • memory/800-64-0x000000001AF70000-0x000000001AF72000-memory.dmp

            Filesize

            8KB

            Download

          • memory/800-65-0x000000001B460000-0x000000001B742000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/800-61-0x0000000000940000-0x000000000095C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1104-71-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

            Filesize

            3.8MB

            Download