flawedammy | 6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

General

Target

Supergevaarlijkk.zip
Sample

191029-p1j1431a9n
SHA256

6cd246cd910e33eaee00e3d138bc49fcf85562b5f8c394d4b092372d25cc0eac

Score

N/A

Malware Config

Signatures

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\Check_Associations = "no"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\NoProtectedModeBanner = "1"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown = "1"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8RunOnceLastShown_TIMESTAMP = 8afe20f63237d401	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShown = "1"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\IE8TourShownTime = 0c8ab1fc3237d401	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Recovery\AutoRecover = "2"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	2028	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{814F3521-FA7B-11E9-888E-DEE1C6FEB5EE} = "0"	2028	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	2028	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	2028	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	2028	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	2028	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	2028	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	2028	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000019b9d2a3daa9d1ba052826ff03b6b91d363ac6adaf48f3b3e1002d4bf9020e97000000000e80000000020000200000002c61c390ff71659547637b75e563cb64ce4d095926b3cd2bfd1f6c10cd633da6200000007d2072b030b751c7ec3a87ae4b8bdf1e420d6275518461b4974e999816b131ce400000005e123da031352ba3e417e1800dffcd34666f12952446ebf0819a460c4e8c914d76add045f4ce7c7c329c444bb30b154d470e909240b632cf2322cc4e5a489f0d	2028	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70dfb165888ed501	2028	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1774239815-1814403401-2200974991-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009aa4f4faf1a8e341b8de4356d522d0ee0000000002000000000010660000000100002000000005ba0a3d6f0b7a960214461bac23125640c82b084757548a8ddf45c8d99489ce000000000e8000000002000020000000746fcea4874bfeea990a0a85c452a757aea4fbbc80ac7f98cba8e1a54de78b26900000007264593deb76242b175a2c0ca4329eaa7ddc0cb0f2cbc2e4cd2e8d15bfeb568ef7e9cd888e1e262c0fffc59fd8e745d644e5c56187bc347c432be07cce9d413b6c24ca76835494fd8b1a3341d111b24ef6a3e567afd3643c036a1d916883078af3e7e180044af3eb10603586346812deff291c1b668097f02e7071e886605a14f43cc7334d2a732aa66558a7e66816174000000020160aa7cc435a3e83a17da4a30602a5b019b58598307b0ae8410b0e84ec3851fb6604976e032fc5647950d2dd143f817acaee34ce45cf143a8c36cb0337e74c	2028	iexplore.exe

Launches SC.exe 1 IoCs

pid	Process
1408	sc.exe

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

description	ioc	pid	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SinTech client = "C:\\Program Files (x86)\\SinTech\\TextEdit.exe"	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1332	wlanspeed.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2028	iexplore.exe

Executes dropped EXE 3 IoCs

pid	Process
2016	TextEdit.exe
1332	wlanspeed.exe
2120	outst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 2016	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	26
PID 1084 wrote to memory of 1224	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	27
PID 1224 wrote to memory of 856	1224	cmd.exe	29
PID 1224 wrote to memory of 1408	1224	cmd.exe	30
PID 1224 wrote to memory of 1420	1224	cmd.exe	31
PID 1224 wrote to memory of 2032	1224	cmd.exe	32
PID 1084 wrote to memory of 1332	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	33
PID 2028 wrote to memory of 1980	2028	iexplore.exe	36
PID 1084 wrote to memory of 2120	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe	38
PID 2028 wrote to memory of 2160	2028	iexplore.exe	39
PID 2028 wrote to memory of 2376	2028	iexplore.exe	40
PID 2028 wrote to memory of 2568	2028	iexplore.exe	41

Windows firewall usage 2 IoCs

pid	Process
1420	netsh.exe
2032	netsh.exe

flawedammy family
family flawedammy

Loads dropped DLL 1 IoCs

pid	Process
1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
112	conhost.exe
1332	wlanspeed.exe
2028	iexplore.exe
1980	IEXPLORE.EXE
2160	IEXPLORE.EXE
2376	IEXPLORE.EXE

Creates new service 1 TTPs 1 IoCs

persistence

pid	Process
856	sc.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

pid	Process
1420	netsh.exe
2032	netsh.exe

Drops file in system dir 2 IoCs

description	ioc	pid	Process
File created	C:\Program Files (x86)\SinTech\TextEdit.exe	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
File created	C:\Program Files (x86)\SinTech\TextEdit.exe.config	1084	fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
"C:\Users\Admin\AppData\Local\Temp\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
1⤵
- Modifies Internet Explorer settings
- Adds Run entry to start application
- Suspicious use of WriteProcessMemory
- Loads dropped DLL
- Drops file in system dir
PID:1084

C:\Program Files (x86)\SinTech\TextEdit.exe
"C:\Program Files (x86)\SinTech\TextEdit.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Windows\SysWOW64\cmd.exe
cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1138862790176837176690911350724443424918102909263872890522038853367-812709330"
1⤵
- Suspicious use of SetWindowsHookEx
PID:112

C:\Windows\SysWOW64\sc.exe
sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
1⤵
- Creates new service
PID:856

C:\Windows\SysWOW64\sc.exe
sc description Wlanspeed "Wlanspeed service"
1⤵
- Launches SC.exe
PID:1408

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Windows firewall usage
- Modifies Windows Firewall
PID:1420

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
1⤵
- Windows firewall usage
- Modifies Windows Firewall
PID:2032

C:\ProgramData\Wlanspeed\wlanspeed.exe
"C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:1980

C:\ProgramData\Wlanspeed\outst.exe
"C:\ProgramData\Wlanspeed\outst.exe" -outid
1⤵
- Executes dropped EXE
PID:2120

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:209927 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2160

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:734220 /prefetch:2
1⤵
- Suspicious use of SetWindowsHookEx
PID:2376

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:341013 /prefetch:2
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

MITRE ATT&CK Additional techniques

T1060
T1050
T1031

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-10-0x00000000038F0000-0x0000000003901000-memory.dmp

Filesize
68KB

Download
memory/1332-11-0x0000000003AF0000-0x0000000003B01000-memory.dmp

Filesize
68KB

Download
memory/2160-42-0x00000000041A0000-0x00000000041A2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

MITRE ATT&CK Additional techniques

Replay Monitor

Loading Replay Monitor...

Downloads