Analysis

  • max time kernel
    35s
  • max time network
    48s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-ja-20220112
  • submitted
    19-01-2022 15:40

General

  • Target

    test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

  • Size

    3.6MB

  • MD5

    743a6891999db5d7179091aba5f98fdb

  • SHA1

    eeca4b8f88fcae9db6f54304270699d459fb5722

  • SHA256

    fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f

  • SHA512

    9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Creates new service(s) 1 TTPs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 21 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer Automatic Crash Recovery
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Program Files (x86)\SinTech\TextEdit.exe
      "C:\Program Files (x86)\SinTech\TextEdit.exe"
      2⤵
      • Executes dropped EXE
      PID:4084
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3016
      • C:\Windows\SysWOW64\sc.exe
        sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
        3⤵
          PID:3824
        • C:\Windows\SysWOW64\sc.exe
          sc description Wlanspeed "Wlanspeed service"
          3⤵
            PID:3196
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            3⤵
              PID:1892
            • C:\Windows\SysWOW64\netsh.exe
              netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
              3⤵
                PID:924
            • C:\ProgramData\Wlanspeed\wlanspeed.exe
              "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetWindowsHookEx
              PID:968
          • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
            "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
            1⤵
              PID:1004
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
              1⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1772
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1772 CREDAT:17410 /prefetch:2
                2⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3524

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/968-140-0x000000007FA70000-0x000000007FE41000-memory.dmp

              Filesize

              3.8MB

            • memory/4084-136-0x00000000007E0000-0x00000000007FC000-memory.dmp

              Filesize

              112KB

            • memory/4084-137-0x000000001B420000-0x000000001B422000-memory.dmp

              Filesize

              8KB