flawedammy | 6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

General

Target

Supergevaarlijkk.zip
Sample

191029-7v9yqqxm3n
SHA256

6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score

N/A

Malware Config

Signatures

Launches SC.exe 1 IoCs

pid	Process
1404	sc.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

pid	Process
1480	netsh.exe
2004	netsh.exe

Modifies Internet Explorer settings 1 TTPs 21 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Check_Associations = "no"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\NoProtectedModeBanner = "1"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown = "1"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown_TIMESTAMP = 8afe20f63237d401	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShown = "1"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShownTime = 0c8ab1fc3237d401	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	1444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{066E7E01-FA7C-11E9-889F-4E5481F35921} = "0"	1444	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	1444	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	1444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	1444	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	1444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	1444	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	1444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	1444	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000ac2144f5a887bdc9602950dfb8d3012efe9080e3729c48252c05ee2d21168b9e000000000e80000000020000200000005dd45fc61414e747da91731b7c766f0bd08da48468c404abf85df39ffdd0322a20000000f0a8cdfc67b26efbcedef71d45a1923f64b692e05e87ea96655f7a63f8286d01400000009bfdea8cd8d8d1d4a3f83d2a122c7ab7fc3572a7a0970b2d4f7527a9ef517ed6db90d24a0c6042a6d3801d0ee30506b6d77adb91173cd404371ab547ba0ffc31	1444	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a026ded5888ed501	1444	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee00000000020000000000106600000001000020000000a4ca0a658b1f0c0765855b7e0b3c7a2dc619ac748eac0ffba6c7e5c3db12c52c000000000e800000000200002000000069cfa77827a5f284c3cf175cf770adb01244ef26353d1ff55f65f8682c75ea2190000000515c9791b85aae45f8aa72aff66f624a94428ce90327cb435cce500f8984ad2a010e23997722e5f4e4e96f3c2ee925c887d45cec1c9e0ea63e63a34174909b4e77e3fdb0e1da6f0f16059fd105ba2ab56595055a044c14249cf8a242e92ef712f7efbf37c00406f709390d2b1783b92f7a982ba8754bc2504046564c55e425b9c84660f8f5eb625d624131c538e985c8400000001678dafe609f63c4eabad64a420d342b2224b0fd213e38dff97ff63ea2924e42ec93f7fec5c9e58aa4ee3182abd96e51f3cfe58d034c2e34300c2bee61bb1189	1444	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	1444	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "279139601"	1444	iexplore.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 824	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	26
PID 1040 wrote to memory of 1348	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	27
PID 1348 wrote to memory of 768	1348	cmd.exe	29
PID 1348 wrote to memory of 1404	1348	cmd.exe	30
PID 1348 wrote to memory of 1480	1348	cmd.exe	31
PID 1348 wrote to memory of 2004	1348	cmd.exe	32
PID 1040 wrote to memory of 1424	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	33
PID 1444 wrote to memory of 2004	1444	iexplore.exe	36
PID 1040 wrote to memory of 2156	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	38
PID 1444 wrote to memory of 2188	1444	iexplore.exe	39

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1444	iexplore.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
836	conhost.exe
1424	wlanspeed.exe
1444	iexplore.exe
2004	IEXPLORE.EXE
2188	IEXPLORE.EXE

Creates new service 1 TTPs 1 IoCs

persistence

pid	Process
768	sc.exe

Windows firewall usage 2 IoCs

pid	Process
1480	netsh.exe
2004	netsh.exe

flawedammy family
family flawedammy

Loads dropped DLL 1 IoCs

pid	Process
1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Drops file in system dir 2 IoCs

description	ioc	pid	Process
File created	C:\Program Files (x86)\SinTech\TextEdit.exe	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
File created	C:\Program Files (x86)\SinTech\TextEdit.exe.config	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SinTech client = "C:\\Program Files (x86)\\SinTech\\TextEdit.exe"	1040	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Executes dropped EXE 3 IoCs

pid	Process
824	TextEdit.exe
1424	wlanspeed.exe
2156	outst.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1424	wlanspeed.exe

C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
"C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in system dir
- Adds Run entry to start application
PID:1040

C:\Program Files (x86)\SinTech\TextEdit.exe
"C:\Program Files (x86)\SinTech\TextEdit.exe"
1⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\cmd.exe
cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "322372338-141076211-1503080421-146637913-1448740906-34692126-16420535131527021419"
1⤵
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\sc.exe
sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
1⤵
- Creates new service
PID:768

C:\Windows\SysWOW64\sc.exe
sc description Wlanspeed "Wlanspeed service"
1⤵
- Launches SC.exe
PID:1404

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Modifies Windows Firewall
- Windows firewall usage
PID:1480

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Modifies Windows Firewall
- Windows firewall usage
PID:2004

C:\ProgramData\Wlanspeed\wlanspeed.exe
"C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
1⤵
- Suspicious use of SetWindowsHookEx
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1424

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1444

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2004

C:\ProgramData\Wlanspeed\outst.exe
"C:\ProgramData\Wlanspeed\outst.exe" -outid
1⤵
- Executes dropped EXE
PID:2156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:930819 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1031
T1050
T1060

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1424-10-0x0000000003820000-0x0000000003831000-memory.dmp

Filesize
68KB

Download
memory/1424-11-0x0000000003A20000-0x0000000003A31000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads