flawedammy | 6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

General

Target

Supergevaarlijkk.zip
Sample

191029-7v9yqqxm3n
SHA256

6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score

N/A

Malware Config

Signatures

flawedammy family
family flawedammy

Loads dropped DLL 1 IoCs

pid	Process
4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Modifies Internet Explorer settings 1 TTPs 23 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown = "1"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceLastShown_TIMESTAMP = 232ab69ccc22d401	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10TourShown = "1"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10TourShownTime = f84268cb0c09d401	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOncePerInstallCompleted = "1"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\IE10RunOnceCompletionTime = f84268cb0c09d401	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{049CB4B1-FA7C-11E9-BD7F-56A412148FD8} = "0"	3172	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	3172	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	3172	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	3172	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3665596363"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30772872"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3665596363"	3172	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30772872"	3172	iexplore.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 4984	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	73
PID 4820 wrote to memory of 5024	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	74
PID 5024 wrote to memory of 5064	5024	cmd.exe	76
PID 5024 wrote to memory of 5080	5024	cmd.exe	77
PID 5024 wrote to memory of 5096	5024	cmd.exe	78
PID 5024 wrote to memory of 1988	5024	cmd.exe	79
PID 4820 wrote to memory of 992	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	80
PID 3172 wrote to memory of 3656	3172	iexplore.exe	82
PID 4484 wrote to memory of 4456	4484	SppExtComObj.exe	84
PID 4820 wrote to memory of 4596	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	86
PID 3172 wrote to memory of 4140	3172	iexplore.exe	87
PID 3172 wrote to memory of 4432	3172	iexplore.exe	88

Creates new service 1 TTPs 1 IoCs

persistence

pid	Process
5064	sc.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

pid	Process
5096	netsh.exe
1988	netsh.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
992	wlanspeed.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0"	1796	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1"	1796	svchost.exe

Drops file in system dir 7 IoCs

description	ioc	pid	Process
File created	C:\Program Files (x86)\SinTech\TextEdit.exe	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
File created	C:\Program Files (x86)\SinTech\TextEdit.exe.config	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	2904	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	2904	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp	2904	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	2904	svchost.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp	2904	svchost.exe

Launches SC.exe 1 IoCs

pid	Process
5080	sc.exe

Windows firewall usage 2 IoCs

pid	Process
5096	netsh.exe
1988	netsh.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
992	wlanspeed.exe
3172	iexplore.exe
3656	IEXPLORE.EXE
4140	IEXPLORE.EXE
4432	IEXPLORE.EXE

Modifies system certificate store 2 TTPs 1 IoCs

evasion spyware trojan

Modify Registry

T1112

description	ioc	pid	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\75E0ABB6138512271C04F85FDDDE38E4B7242EFE\Blob = 5c000000010000000400000000080000090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020b000000010000005c00000047006f006f0067006c00650020005400720075007300740020005300650072007600690063006500730020002d00200047006c006f00620061006c005300690067006e00200052006f006f0074002000430041002d005200320000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0620000000100000020000000ca42dd41745fd0b81eb902362cf9d8bf719da1bd1b1efc946f5b4c99f42c1b9e1400000001000000140000009be20757671c1ec06a06de59b49a2ddfdc19862e1d000000010000001000000073621e116224668780b2d2bee454e52e03000000010000001400000075e0abb6138512271c04f85fddde38e4b7242efe2000000001000000be030000308203ba308202a2a003020102020b0400000000010f8626e60d300d06092a864886f70d0101050500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3036313231353038303030305a170d3231313231353038303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100a6cf240ebe2e6f28994542c4ab3e21549b0bd37f8470fa12b3cbbf875fc67f86d3b2305cd6fdadf17bdce5f86096099210f5d053defb7b7e7388ac52887b4aa6ca49a65ea8a78c5a11bc7a82ebbe8ce9b3ac962507974a992a072fb41e77bf8a0fb5027c1b96b8c5b93a2cbcd612b9eb597de2d006865f5e496ab5395e8834ecbc780c0898846ca8cd4bb4a07d0c794df0b82dcb21cad56c5b7de1a02984a1f9d39449cb24629120bcdd0bd5d9ccf9ea270a2b7391c69d1bacc8cbe8e0a0f42f908b4dfbb0361bf6197a85e06df26113885c9fe0930a51978a5aceafabd5f7aa09aa60bddcd95fdf72a960135e0001c94afa3fa4ea070321028e82ca03c29b8f0203010001a3819c308199300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604149be20757671c1ec06a06de59b49a2ddfdc19862e30360603551d1f042f302d302ba029a0278625687474703a2f2f63726c2e676c6f62616c7369676e2e6e65742f726f6f742d72322e63726c301f0603551d230418301680149be20757671c1ec06a06de59b49a2ddfdc19862e300d06092a864886f70d01010505000382010100998153871c68978691ece04ab8440bab81ac274fd6c1b81c4378b30c9afcea2c3c6e611b4d4b29f59f051d26c1b8e983006245b6a90893b9a9334b189ac2f887884edbdd71341ac154da463fe0d32aab6d5422f53a62cd206fba2989d7dd91eed35ca23ea15b41f5dfe564432de9d539abd2a2dfb78bd0c080191c45c02d8ce8f82da4745649c505b54f15de6e44783987a87ebbf3791891bbf46f9dc1f08c358c5d01fbc36db9ef446d7946317e0afea982c1ffefab6e20c450c95f9d4d9b178c0ce501c9a0416a7353faa550b46e250ffb4c18f4fd52d98e69b1e8110fde88d8fb1d49f7aade95cf2078c26012db25408c6afc7e4238406412f79e81e1932e	3656	IEXPLORE.EXE

Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	pid	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	984	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	984	svchost.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SinTech client = "C:\\Program Files (x86)\\SinTech\\TextEdit.exe"	4820	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Executes dropped EXE 3 IoCs

pid	Process
4984	TextEdit.exe
992	wlanspeed.exe
4596	outst.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3172	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
"C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Drops file in system dir
- Adds Run entry to start application
PID:4820

C:\Program Files (x86)\SinTech\TextEdit.exe
"C:\Program Files (x86)\SinTech\TextEdit.exe"
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\SysWOW64\cmd.exe
cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\sc.exe
sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
1⤵
- Creates new service
PID:5064

C:\Windows\SysWOW64\sc.exe
sc description Wlanspeed "Wlanspeed service"
1⤵
- Launches SC.exe
PID:5080

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Modifies Windows Firewall
- Windows firewall usage
PID:5096

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Modifies Windows Firewall
- Windows firewall usage
PID:1988

C:\ProgramData\Wlanspeed\wlanspeed.exe
"C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
PID:992

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
- Suspicious use of FindShellTrayWindow
PID:3172

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3172 CREDAT:82945 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
- Modifies system certificate store
PID:3656

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\System32\SLUI.exe
"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent
1⤵
PID:4456

C:\ProgramData\Wlanspeed\outst.exe
"C:\ProgramData\Wlanspeed\outst.exe" -outid
1⤵
- Executes dropped EXE
PID:4596

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3172 CREDAT:82948 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3172 CREDAT:148483 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:4432

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
- Drops file in system dir
PID:2904

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:356

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DoSvc
1⤵
- Checks system information in the registry (likely anti-VM)
PID:984

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc
1⤵
- Windows security modification
PID:1796

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup
1⤵
PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

4

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1050
T1031
T1089
T1130
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-9-0x0000000004200000-0x0000000004201000-memory.dmp

Filesize
4KB

Download
memory/992-8-0x0000000004000000-0x0000000004001000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads