flawedammyy | 8392bb9829d425f7c8c21155527f8a6b06ae2b2652fb31fd49f5de998c7e2afc

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 07:38

Target

Device/HarddiskVolume8/UB_AHO_AG/krbiju/[email protected]/LTP-484/Data/C/Users/KRBiju/Desktop.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

Desktop.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Desktop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Desktop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Desktop.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Desktop.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

Desktop.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Desktop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552534bc0a05270edb16b	Desktop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 0ebb943cb952cda4626d4532906bfd9fecfa22fef39fc00a2e7f4a9687b4a6a9d513ba69bdd149a0ceb80dabd407b79356483814ecb7407cff48afc9168089bfe5962f46	Desktop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Desktop.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Desktop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Desktop.exe

pid	Process
4616	Desktop.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Desktop.exe

pid	Process
4616	Desktop.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

Desktop.exe

description	pid	Process	procid_target
PID 3336 wrote to memory of 4616	3336	Desktop.exe	85
PID 3336 wrote to memory of 4616	3336	Desktop.exe	85
PID 3336 wrote to memory of 4616	3336	Desktop.exe	85

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe"
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4616

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
732364c41e5583d517292e8815fab562

SHA1
43f88cc64eb31c384f93b28de123e770432d8be0

SHA256
64fc73dd87a1f168f02f271a8c61039ab6965b384e5af68440be77a8022dc7ac

SHA512
66cd67c0e55050e36d7df3ebdc1d27a91cca61ec427c59356395565eae8f08bb365f80e393c39a0bf3b84ff3d73a43c3792b4e9f05e21a3abd8fd95608463c8c

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
3b4b4daba343e9b87b6528e42f7d9fb8

SHA1
7ed7e2e7989a1011827e0720ab99d2dae10aad57

SHA256
3c596b75b0241d1ee28afe3718c7b967a2d1eab91045c6e8e55ea7ab816f0b3f

SHA512
1338e841bd4862ce32899d917eca748a0a4ba1f76bac94901aecc1b6cac8217a87d9f1be328fa34f1651544c3d767bc0bdf8634ed46e376aa79e0bb29cc21454

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit