flawedammyy | 43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee

Analysis

max time kernel
205s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
28/11/2022, 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1813cdbea071efd7e0b261e0b1f47635.exe
Size

7.6MB
MD5

1813cdbea071efd7e0b261e0b1f47635
SHA1

cb7bfedfa84c2de310fdf36b6fac39c6d8a6c971
SHA256

43834f452190b6f36ce8bb603b76e44feb45761eb70eae5dee2ac8db17d560ee
SHA512

a5ac24cff7a276acc8d629dcb170c51ee8c1d65960f0fbf105a775264a63264bfb126008e5ea4daba812ef1d79881bda3e077bb1349166d474a609dd06e65b77
SSDEEP

196608:4AId0+vNSQpice0XxZcTjfKYQGj8jFDO/3V1hoGv:4zm+v9eeQjCBnjNO/FTXv

Score

10^/10

flawedammyy discovery evasion trojan upx

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Executes dropped EXE 2 IoCs

pid	Process
456	1813cdbea071efd7e0b261e0b1f47635.tmp
4648	SuporteZeus.exe

Modifies Windows Firewall 1 TTPs 2 IoCs

evasion

Modify Existing Service

T1031

pid	Process
4500	NETSH.exe
3728	NETSH.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000001e7a7-140.dat	upx
behavioral2/files/0x000700000001e7a7-141.dat	upx
behavioral2/memory/4648-142-0x0000000000990000-0x0000000000AEE000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/4648-142-0x0000000000990000-0x0000000000AEE000-memory.dmp	autoit_exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-GMOAR.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-865TC.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-MS7S1.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-21QDT.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\VncZeusTecnologia.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\libcurl.dll	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-VCDCD.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-445FP.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-0NAML.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AtualizadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\curl\curl.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\unins000.dat	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-DO9JS.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-AOET0.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\curl\is-9T4FP.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\debugZT_SuporteZeus.exe.log	SuporteZeus.exe
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\AnyDesk.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File opened for modification	C:\Program Files (x86)\Zeus Tecnologia STI\GerenciadorZeus.exe	1813cdbea071efd7e0b261e0b1f47635.tmp
File created	C:\Program Files (x86)\Zeus Tecnologia STI\is-LT8IK.tmp	1813cdbea071efd7e0b261e0b1f47635.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3032	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4248	taskkill.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
456	1813cdbea071efd7e0b261e0b1f47635.tmp
456	1813cdbea071efd7e0b261e0b1f47635.tmp
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe
4648	SuporteZeus.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4248	taskkill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
456	1813cdbea071efd7e0b261e0b1f47635.tmp
456	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
456	1813cdbea071efd7e0b261e0b1f47635.tmp

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 456	3108	1813cdbea071efd7e0b261e0b1f47635.exe	81
PID 3108 wrote to memory of 456	3108	1813cdbea071efd7e0b261e0b1f47635.exe	81
PID 3108 wrote to memory of 456	3108	1813cdbea071efd7e0b261e0b1f47635.exe	81
PID 456 wrote to memory of 4648	456	1813cdbea071efd7e0b261e0b1f47635.tmp	86
PID 456 wrote to memory of 4648	456	1813cdbea071efd7e0b261e0b1f47635.tmp	86
PID 456 wrote to memory of 4648	456	1813cdbea071efd7e0b261e0b1f47635.tmp	86
PID 4648 wrote to memory of 3032	4648	SuporteZeus.exe	92
PID 4648 wrote to memory of 3032	4648	SuporteZeus.exe	92
PID 4648 wrote to memory of 3032	4648	SuporteZeus.exe	92
PID 4648 wrote to memory of 1880	4648	SuporteZeus.exe	94
PID 4648 wrote to memory of 1880	4648	SuporteZeus.exe	94
PID 4648 wrote to memory of 1880	4648	SuporteZeus.exe	94
PID 4648 wrote to memory of 1196	4648	SuporteZeus.exe	97
PID 4648 wrote to memory of 1196	4648	SuporteZeus.exe	97
PID 4648 wrote to memory of 1196	4648	SuporteZeus.exe	97
PID 4648 wrote to memory of 3604	4648	SuporteZeus.exe	99
PID 4648 wrote to memory of 3604	4648	SuporteZeus.exe	99
PID 4648 wrote to memory of 3604	4648	SuporteZeus.exe	99
PID 4648 wrote to memory of 2704	4648	SuporteZeus.exe	101
PID 4648 wrote to memory of 2704	4648	SuporteZeus.exe	101
PID 4648 wrote to memory of 2704	4648	SuporteZeus.exe	101
PID 4648 wrote to memory of 3900	4648	SuporteZeus.exe	103
PID 4648 wrote to memory of 3900	4648	SuporteZeus.exe	103
PID 4648 wrote to memory of 3900	4648	SuporteZeus.exe	103
PID 4648 wrote to memory of 4692	4648	SuporteZeus.exe	105
PID 4648 wrote to memory of 4692	4648	SuporteZeus.exe	105
PID 4648 wrote to memory of 4692	4648	SuporteZeus.exe	105
PID 4648 wrote to memory of 4544	4648	SuporteZeus.exe	107
PID 4648 wrote to memory of 4544	4648	SuporteZeus.exe	107
PID 4648 wrote to memory of 4544	4648	SuporteZeus.exe	107
PID 4648 wrote to memory of 4924	4648	SuporteZeus.exe	109
PID 4648 wrote to memory of 4924	4648	SuporteZeus.exe	109
PID 4648 wrote to memory of 4924	4648	SuporteZeus.exe	109
PID 4648 wrote to memory of 4500	4648	SuporteZeus.exe	111
PID 4648 wrote to memory of 4500	4648	SuporteZeus.exe	111
PID 4648 wrote to memory of 4500	4648	SuporteZeus.exe	111
PID 4648 wrote to memory of 3728	4648	SuporteZeus.exe	117
PID 4648 wrote to memory of 3728	4648	SuporteZeus.exe	117
PID 4648 wrote to memory of 3728	4648	SuporteZeus.exe	117
PID 4648 wrote to memory of 4248	4648	SuporteZeus.exe	121
PID 4648 wrote to memory of 4248	4648	SuporteZeus.exe	121
PID 4648 wrote to memory of 4248	4648	SuporteZeus.exe	121

C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe
"C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\is-A6C04.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-A6C04.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp" /SL5="$701CC,7763926,67584,C:\Users\Admin\AppData\Local\Temp\1813cdbea071efd7e0b261e0b1f47635.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:456
- - C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe
    "C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe" -STIconfig
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4648
  - - C:\Windows\SysWOW64\SC.exe
      SC stop "AmmyyAdmin"
      4⤵
      Launches sc.exe
      PID:3032
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1880
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecSTI
      4⤵
      PID:1196
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:3604
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /End /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:2704
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN "Zeus Tecnologia STI"
      4⤵
      PID:3900
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecSTI
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecINV
      4⤵
      PID:4544
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      SCHTASKS /delete /F /TN ZeusTecnologia\ZeusTecSTI
      4⤵
      PID:4924
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAtualiza"
      4⤵
      Modifies Windows Firewall
      PID:4500
  - - C:\Windows\SysWOW64\NETSH.exe
      NETSH advfirewall firewall delete rule name="ZeusAmmyyAdm"
      4⤵
      Modifies Windows Firewall
      PID:3728
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -f -im AmmyyAdmin.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Program Files (x86)\Zeus Tecnologia STI\SuporteZeus.exe

Filesize
610KB

MD5
f07db1e2a512171311f40d080034ba01

SHA1
2296ad3bc8807dfa775d43d58c8d3b52d19dd7e2

SHA256
f3e997e126aaec0734a6f2a5d68e3d3ec58cc863705cc3991989cc8183af283e

SHA512
a8e4e28ff8332bc84471f1dfd02a9c519eda796196d4ce143bd3a7f94d91c2dab1a591996ece81de3f0e2fff2491efc66be611bd802857bb56b024240ad4026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6C04.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A6C04.tmp\1813cdbea071efd7e0b261e0b1f47635.tmp

Filesize
711KB

MD5
478fbeed5ddcc14317065fafc3c19928

SHA1
8a680ce343453e2407444894055e9630f0c36017

SHA256
20d3b66b3d08b16204a6471c1eba6e682765a5397f33a1f4607725db3ea6cd2d

SHA512
6165a7f11184fc8cc52dbe4ed1f412895f5abc308c1b1f9c793d465ddbae4406a656127b40a15591b26fa737e5d7015c9e927fbfadb095e462d2a1cba1fa417d

Download Submit
memory/3108-138-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3108-132-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3108-136-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4648-142-0x0000000000990000-0x0000000000AEE000-memory.dmp

Filesize
1.4MB

Download