flawedammyy | 32818a2dc7457ccc4f37444ccefc1cf1435657480c152b0ebb1c50833ed56eee

Resubmissions

24/03/2023, 20:48

230324-zlhhgabd8x 10

24/03/2023, 20:47

230324-zkt5wahc59 10

23/01/2023, 22:26

230123-2crqwsfg87 10

21/01/2023, 00:40

230121-a1a99sca71 10

Analysis

max time kernel
53s
max time network
56s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
24/03/2023, 20:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sys09.exe
Size

751KB
MD5

4d853025b8cd8c725bf78e3df6cce967
SHA1

c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
SHA256

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
SHA512

977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
SSDEEP

12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	sys09.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	sys09.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	sys09.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = fc439c603bdd70ff541e03acc1eece1d499979d93548908ab1847129e8dc1c1e3b6aeac05ae8f023fe7ddf8a2801e49a9a963cf1f45fa85acb3371c80a9ef40bee7e35b9	sys09.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552534347046cd201b16b	sys09.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	sys09.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	sys09.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	sys09.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	sys09.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3476	sys09.exe
3476	sys09.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3476	sys09.exe
3476	sys09.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 3476	988	sys09.exe	67
PID 988 wrote to memory of 3476	988	sys09.exe	67
PID 988 wrote to memory of 3476	988	sys09.exe	67

C:\Users\Admin\AppData\Local\Temp\sys09.exe
"C:\Users\Admin\AppData\Local\Temp\sys09.exe"
1⤵
PID:3668

C:\Users\Admin\AppData\Local\Temp\sys09.exe
"C:\Users\Admin\AppData\Local\Temp\sys09.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:988
- C:\Users\Admin\AppData\Local\Temp\sys09.exe
  "C:\Users\Admin\AppData\Local\Temp\sys09.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
d0ba7e45104fbf50e66ed7586d7be37c

SHA1
a5a9d17152949350f5c05d25af5aa0b67fde28c8

SHA256
55f23cf1e01e68d6d4c42fe88650ad37c770f1919b6bd25299bd9715fedb47c6

SHA512
1c0eb3faec30a690c1dfa59939dd8dcd47c9a9b821c2f3a87e647bcf2f54c5cac19dda5a5e90715a021c4bc463a7946bd1bf7a34eb798cfe25893df8fd000cb3

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
bd69efbcdb0bc62c4216f469ef8e4a61

SHA1
abfe13948379ad4723e1812d1c41cd38379d08b3

SHA256
2aaf219c1c5d0d15cf2745a7c16565460be8d1272fc97383e0f2746c15688b2c

SHA512
0609ffab6ef16e81843c45159aed4df1919aa55904f0203aec49da1cb18a7ec327a900f3acefe4d6b805e8fff34fe38c1e5b52c8363aaf46a1fecf7b1f916fe5

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit