flawedammyy | 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2023 12:29

Target

03920799.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

03920799.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	03920799.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	03920799.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	03920799.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	03920799.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

03920799.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	03920799.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 42698c23db3f538207b65f120737f12cf3a30566a57d7537e97e2cdfb4e925ac447106316002c90a2fc8163a0a8e9d559d4a7020c746e0e1b92186e0f5d5074346dad197	03920799.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	03920799.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	03920799.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253cc9b9c32cdc0b16b	03920799.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

03920799.exe

pid	Process
4768	03920799.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

03920799.exe

pid	Process
4768	03920799.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

03920799.exe

description	pid	Process	procid_target
PID 556 wrote to memory of 4768	556	03920799.exe	85
PID 556 wrote to memory of 4768	556	03920799.exe	85
PID 556 wrote to memory of 4768	556	03920799.exe	85

C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:556
- C:\Users\Admin\AppData\Local\Temp\03920799.exe
  "C:\Users\Admin\AppData\Local\Temp\03920799.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4768

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
42b10a86aa904b33e2925e35f349360f

SHA1
e568a206b97f7956b4bb97bd6063b6d5a7362d8e

SHA256
d8b0cdcedaabfd418fd18bfcff14113a1e05c17c818e92f6ae42980ed3b4100b

SHA512
f2f89da9e612a132da3a18b651f25680d26a63c98f517360d25b6f1e6bdd7ff159b93b360d157738e7f782029d1ccd9a6641308c75c6888cbc7a4dd32004bddc

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
2a1889442ba91fc1362b1167f9a140fc

SHA1
ec5edd167f528acc1a98bd19a764aef57bb5017c

SHA256
a246bfc5fe0072dd0a59c499cd10287e2e4ece532193a96d4c9d5fd02aae243d

SHA512
36481e00afc7c4c48d0dc7a3eba2dab2a4519afeb62ce89c691ae977db95efd7d758e74eabeb8a3be5af8386048118058c6cebc3a9bcc81f3b0b35f75dc0a1d2

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit