flawedammyy | 4731517b198414342891553881913565819509086b8154214462788c740b34c9

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2023 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GWPEx64_10_07_2018.7z.exe
Size

726KB
MD5

190785b2bb664324334c1b5231b5c4b0
SHA1

07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256

4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512

ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c
SSDEEP

12288:8YdNctvsfu2LVBfKf057C9lRt3i5olGJsxhzagH:HdNikfu2hBfK8ilRty5olGJsxNH

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 7 IoCs

Processes:

GWPEx64_10_07_2018.7z.exesvchost.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	GWPEx64_10_07_2018.7z.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	GWPEx64_10_07_2018.7z.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{29359432-75F5-4B9E-9388-724894F15077}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat	svchost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	GWPEx64_10_07_2018.7z.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	GWPEx64_10_07_2018.7z.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

GWPEx64_10_07_2018.7z.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 61e47c32e428be59817a0f4b9e97cb4e16139895a75d7f134a82f569c155d8016d8f9873f44de1f5a6ae94aa462170447a9d058f4caa35aa7c7069f9e53e17c3e5444f98	GWPEx64_10_07_2018.7z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	GWPEx64_10_07_2018.7z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	GWPEx64_10_07_2018.7z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552538768f676e6e6b16b	GWPEx64_10_07_2018.7z.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	GWPEx64_10_07_2018.7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

GWPEx64_10_07_2018.7z.exe

pid	Process
1360	GWPEx64_10_07_2018.7z.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

GWPEx64_10_07_2018.7z.exe

pid	Process
1360	GWPEx64_10_07_2018.7z.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

GWPEx64_10_07_2018.7z.exe

description	pid	Process	procid_target
PID 3016 wrote to memory of 1360	3016	GWPEx64_10_07_2018.7z.exe	82
PID 3016 wrote to memory of 1360	3016	GWPEx64_10_07_2018.7z.exe	82
PID 3016 wrote to memory of 1360	3016	GWPEx64_10_07_2018.7z.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
"C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe"
1⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
"C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
  "C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1360

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
PID:3956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
9c5e84c904016803721a521f2069e80c

SHA1
1da4191f318e96c4251a2479425f06b62c7e2db2

SHA256
2e0cdd4a85edda68dc07f1b9a97bb462ceb810300aaf9f8dd76ab968641e1d1d

SHA512
a7dbfa5f036ae5c05db6769892c2a5726704b5271fa8ad7c5a2fc9997b1fff68aad2566ac5e6e99cbdc66999279b80d9c26d59ad3aebfb930f7fea64f9389160

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
771692c363906529907654418bbb76e6

SHA1
85f551f531e4d612f1197f55db3c9a61db61e4b6

SHA256
66ca56240b9a166302c0df3894407a56566379eb294d3056072b746cdb004ac5

SHA512
b373cbb9a264dbbce65d8a8785b4b00fad85abc8b7cd1d15d230061df24ae64f0d90107ca89b15e6dbf3a879c105031251cbbf35fd482081dbaaafe2e7e564c4

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsuDB9B.tmp

Filesize
14KB

MD5
c01eaa0bdcd7c30a42bbb35a9acbf574

SHA1
0aee3e1b873e41d040f1991819d0027b6cc68f54

SHA256
32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40

SHA512
d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
88d3af1adae545fb3c8757d19885dffd

SHA1
b1c17b89318649e0ecac25c4603e1c1469a83004

SHA256
83341241e368156d18eed84675380e02b85859b7d60410c40ec97673b4a43587

SHA512
f960123f77f8c1fdf587b50800821f984b749a5f55f3bf779ddf58f8262b64b0a3635eca8e9008b06c144a66855c1832ddef916b4bb6ab6e91763bbb758a4875

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
b3f2c80c1d8ed4ad569091790949d82e

SHA1
d178cd6445cd375e38b2f1edab6a86b112479292

SHA256
5f0dea507d1095e527383c5fc20c82629ae18500b78f808a485663aac08dd647

SHA512
d36db28748e2e4040866bfc86d7dab8a4cf5be6457ee36658c2bbf92436f9e18250c2ff4734a5a7a194b595652c9c08bee9e817f45584fac0b3c7d9290bd8451

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
856668ebe387d219c7760029318ce50c

SHA1
5121731b236138a20efa3455202939551ef1ed83

SHA256
30670ba4234ec9a98d9ad8d15554e5cec2bc452d5b7d8886e95fa2d4d58d4af0

SHA512
b85bf1af21ead35dc7c98de1fe15e80fa633e66544ab249c85335d0f25806162b2bdc9321e559780796f90afe796ba350b74e5307a6ca02fd70a9056a35931f4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
9ff12dafd95ee6f1c9333818eec4785e

SHA1
8e82e7572af8816f9c19253c5f0670b74961155b

SHA256
91d0004438c11a77a3a92168c116e4e8f3cb1d7ffdafed86209dd5c8c8d54c69

SHA512
bc289e6f6660be3e3a3fe27e074377bd047fd732baa91f0796f53796186ff5f6d0e14ceeb591c5d4d1c1a136fde4ba01a756f2f6fee65a0cd3dbc247cc816146

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
864ddad765afa4dcc8f763240f5c74a7

SHA1
c48d4f5af90490841fb390187886033cdeb8bbfe

SHA256
06344bf8c756c7b2c2ca8c803298c616ac31c50721bb41d9fb1cab0c8f5f3664

SHA512
a6dcf5b056962d889db7c1c80d0b367faa557b1a974d38d448ae054b0680aae79b326df1d6f773ca209aef889a775bccb730edf3d41ed5d6d14b65cab9834375

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
f9e75881ec7dd401b969c4548e684d7c

SHA1
5d7343eb5d20d34d41ca90f307baa57564621d66

SHA256
23f2bfb72e38bb8ff9b4385bdfe2d49539c6a17bc736e5fde6fae13bd3989678

SHA512
f2efdb682d4e8cf5b4b915c2305ed48a8122f4b0019570954656b098b77138c6baf25d796366148ce670b3994d297d4eb6738827ed93ef12a14a7e8f325d0286

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
04c4feb68ca170703d083a595160376e

SHA1
b4fa80daf24bf7cea687b23501cb26441f4606e1

SHA256
c31345d07195129d4e83cbe75d7408aeac62ce08ba3c7251a3f3086d8df53b1f

SHA512
1b4b73545713d99ee0e45299ac0d95ba51e53da7dc6180f35ad930874c48a73e1813f97cabd7fcb9c9c5a69ddd1f64b0aba0a10d71d361ccf891f48ff46d133c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
fec4723ab9b22a7236024d3eac9f4b91

SHA1
2a37aa1009fbb3ea71afadbf95170ddbfd6e86c9

SHA256
f93e602770c8724ec7d16aecc3b2ab22491857a832303c16f903c7b3ed9aa7d2

SHA512
99854132360cb1b2fb624d32b12e36909917b28c2676bc138ee29f5527369a530d44d39edc5e2c2ea1766f9d9019758c8618d06ea683eb082f77b37d9e7a02de

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
556f4ac42bb89d63e36a1993580b75c1

SHA1
94b397f2550d0d625bde03e602e32faaaed73a51

SHA256
b2b12fa805cbec209a577daabd4229702d9bdee6c4e8474833ee5275a2e70bd1

SHA512
550f833eddc6217b47603686a653b3a5555300a9e3bfed0c1c796c275813f028357652817d00a345581e6327ca8830142979878d580296d9e16aea860a4e8e4f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
e4922db112b88f6efc17cec4c63ea28d

SHA1
8b52524e2ceb73b33a462d480c79069b6284b07c

SHA256
5769c3bdad41b6a4960b8bd394cbac26810a99009caaae59656fa1f3e59f99ac

SHA512
0ac287aac4c7a87edda674b1cbbd4c3ed3af4becec0d36bf704ada4c0df5efec703effd44b7c5878344438d70d954e3258ac075a1eb16847234f4b85f41d0944

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c68cd2991992eb845a42f1c52a08b2cc

SHA1
e6920b24453dd4c52793b5f9ce05cd01242d0efd

SHA256
e61a25e75d047f06fa14a03b1f7a295765e197d4623d495835868cb5f4ac914b

SHA512
b46da2c5c7bf3188f9b7cd6470ca85fe40dc818afb6fa47668fd2a5221183a29febc243ddb5f165e37427f95e9f6ed9f4f2686197aa4649fa9926e0e227780bb

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
c4899ef33dca9f7531e600becd9f62f7

SHA1
ee91d574f6aca36104190640b409c77296f0efd8

SHA256
86721ff1ddde5315c521656d3c0fb09a78b4ec8d47d29faa0dc0b2b708e8598f

SHA512
86a7fb8668160028706b97b44493f7a29ce48b955310d51236ee01a2a62ca38e9da92681dfbe24b6c256aa45835e9aa8d17f8a94810dc171304c3a0093d0a578

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
2c3372d4c44c3f81057f6f99fcd39dbe

SHA1
42bc97a098acb25f230a45dd6176dfba99c84d42

SHA256
61fe1c5a3e7798f7a5648b304dfd43e37f3cdb300428a1fe2a8a4fccb61cb2ad

SHA512
ed85c6bb6c13c8b63e258be5d098b58630d107bdb6836246cd976801c6b012375bc0837b9503cef021a6f839db065b659b01a5200059ed19e29b4922f1322113

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
1d9105e6f42abfe79063f1b210f8030f

SHA1
1d8e25813f39e13a2c3b1777f132350a74100641

SHA256
0ead1b5b5989a70e31a9c3d36193dd03307a0c8712bfc37a0a22e6abefc135f5

SHA512
5e3b742c663db22ac94e198512a65e0d871908753c3442fec2433a766795b3f63984552606035e7be8b78dbec11ed623993137e85e5ea7f1c08add3e0df7bdb7

Download Submit
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

Filesize
29KB

MD5
54840c6d64f94bffb2bbc14a591e19d3

SHA1
e3534777782179459795dd31995d4f2035380320

SHA256
5b2b0feba04b56cbe8ba80e588b735b38623f9de861a2e34335e9bfecb696a42

SHA512
cf0765366288890f54c638bf1cf84ff3bc953efd5c5015f6418cb83decb521ebf5feae57db22aa371333f0a11d8fbe4e55760dbf14cfd897f9495d7a835f00de

Download Submit