flawedammyy | 32818a2dc7457ccc4f37444ccefc1cf1435657480c152b0ebb1c50833ed56eee

Resubmissions

24/03/2023, 20:48

230324-zlhhgabd8x 10

24/03/2023, 20:47

230324-zkt5wahc59 10

23/01/2023, 22:26

230123-2crqwsfg87 10

21/01/2023, 00:40

230121-a1a99sca71 10

Analysis

max time kernel
49s
max time network
63s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
23/01/2023, 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sys09.exe
Size

751KB
MD5

4d853025b8cd8c725bf78e3df6cce967
SHA1

c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
SHA256

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
SHA512

977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
SSDEEP

12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	sys09.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	sys09.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253a97a4bfc3170b16b	sys09.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 0bef9fc738989fbc568db04570b4e442152ae3570797f4e87185bdb90bfc9859771f348b2bfa0cefe04680430ccd0d8e29ed1464859645f0e8d2d6b2bb6b9bfd6dcb4a8a	sys09.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	sys09.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sys09.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4400	taskmgr.exe
Token: SeSystemProfilePrivilege	4400	taskmgr.exe
Token: SeCreateGlobalPrivilege	4400	taskmgr.exe
Token: 33	4400	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4400	taskmgr.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
1548	sys09.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
1548	sys09.exe
1548	sys09.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
1548	sys09.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
4400	taskmgr.exe
1548	sys09.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 1548	4444	sys09.exe	67
PID 4444 wrote to memory of 1548	4444	sys09.exe	67
PID 4444 wrote to memory of 1548	4444	sys09.exe	67

C:\Users\Admin\AppData\Local\Temp\sys09.exe
"C:\Users\Admin\AppData\Local\Temp\sys09.exe"
1⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\sys09.exe
"C:\Users\Admin\AppData\Local\Temp\sys09.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Users\Admin\AppData\Local\Temp\sys09.exe
  "C:\Users\Admin\AppData\Local\Temp\sys09.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
49d1388d9b8ad1551acaf1ba92ad1bd4

SHA1
2b93daf40298f66df977dbbf55f808213d90a47b

SHA256
9d47f18446c40002ead5bdf1d234fa09f0ea7b5d2e64c82d2000546965a59d66

SHA512
06742e61d4fd36e9fd97b28820e872404d382d14cf7751c167ba554b1e27aa3da407cfa42c6d41e8eecffaa7f4f32798837fd0d908b8db11e31a6d767999dc3f

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/3048-117-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-118-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-119-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-120-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-121-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-122-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-123-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-124-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-125-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-126-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-128-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-127-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-129-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-130-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-131-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-132-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-133-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-134-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-135-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-136-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-137-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-138-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-140-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-141-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-139-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-142-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-143-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-144-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-145-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-147-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-146-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-148-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-150-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-149-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-151-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-152-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-153-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-155-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-154-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-156-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-157-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-158-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-159-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-160-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-161-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-162-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-163-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/3048-164-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-165-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-166-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-167-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-168-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-169-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-170-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-171-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-172-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-173-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-174-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-176-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-177-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-175-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-178-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-179-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download
memory/4444-180-0x0000000077470000-0x00000000775FE000-memory.dmp

Filesize
1.6MB

Download