flawedammyy | b50982f889255af6558b6ee07be5837049bb94297ff0c0db6d4670a9001916dc

Resubmissions

06-02-2024 19:04

240206-xq7xtafdfn 10

02-04-2023 09:53

230402-lw48bsha6t 10

Analysis

max time kernel
75s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2023 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AlphaZackCosmos.exe
Size

751KB
MD5

4d853025b8cd8c725bf78e3df6cce967
SHA1

c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
SHA256

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
SHA512

977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
SSDEEP

12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AlphaZackCosmos.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AlphaZackCosmos.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AlphaZackCosmos.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ca5ec9eb113ab16b	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AlphaZackCosmos.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AlphaZackCosmos.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AlphaZackCosmos.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4bb6c53ff90d2fce5a6e109ff94cfa7514e415d8fa319e63575a8d17c35a2de3c2e024f6280e32a57b0307ddceec8a9e5c8e40c40a6cabcca70e221a9643413d918cac78	AlphaZackCosmos.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1660	AlphaZackCosmos.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1660	AlphaZackCosmos.exe
1660	AlphaZackCosmos.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1660	AlphaZackCosmos.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1660	3728	AlphaZackCosmos.exe	83
PID 3728 wrote to memory of 1660	3728	AlphaZackCosmos.exe	83
PID 3728 wrote to memory of 1660	3728	AlphaZackCosmos.exe	83

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
1⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
  "C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
70552ed892cbbc4fa0e597143bcd8b64

SHA1
138be0a48abcca4cf8467f728c0a1d0aa4b67a28

SHA256
ad285adc6573a78dc7887617676ba47be5f50e1227551fb1439a34aa255353ef

SHA512
e4a01ce4240f93f6aba0466f5d336d93e10d1bbc2c9b46e7c6d261e328e44e42358bda05be4d15e1081f089055e68be45c2fbb1220fc9e5c7bf55bb2c4403537

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
f1789982e79b3fe149b501889a50e521

SHA1
381bb7dfe4cdfaec28e93d5f810734b4f77dbc6c

SHA256
de9517ed720b42717b7bcd124ea29ad0d06f6bf421d7fd74ca24193adb97f1bf

SHA512
3a84610a60f0a47dea474ce9ce11f07ea961715beebe507d26e6185b2dcc40a467b6cb6dd049ddfddb23d54085515baa8899422f0660c2d16e04988399336320

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit