flawedammyy | 9e80a1754fad2561154d9b12b9302c1455b1bc5b16ee72e99c401af98d7af327

Analysis

max time kernel
181s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2023, 14:15

Target

Ammyy Admin .exe
Size

746KB
MD5

2cbf5657ffd8858a9597f296a60270c2
SHA1

b130611c92788337c4f6bb9e9454ff06eb409166
SHA256

9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac
SHA512

06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b
SSDEEP

12288:6NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:6XTszE7PTgM0YOgA4RtcbwhsSYFVL

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Ammyy Admin .exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Ammyy Admin .exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Ammyy Admin .exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Ammyy Admin .exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy Admin .exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Ammyy Admin .exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552530a640e8bb34eb26b	Ammyy Admin .exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Ammyy Admin .exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Ammyy Admin .exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Ammyy Admin .exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8fc8c60767824261e73ce7bde28acf907541e0761d015f385e8033b5e0576a5546977bf7a8ebbe6058f586d29bcc79848be3e890f8dae8ebbd2df2418c17779a9ff5c4fa	Ammyy Admin .exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Ammyy Admin .exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy Admin .exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4572	Ammyy Admin .exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4572	Ammyy Admin .exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 4572	4216	Ammyy Admin .exe	99
PID 4216 wrote to memory of 4572	4216	Ammyy Admin .exe	99
PID 4216 wrote to memory of 4572	4216	Ammyy Admin .exe	99

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
1⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
  "C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4572

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
b3c6ac51a0ac121c7cd287f40463bfea

SHA1
ea6066934025a818e034d41fc52290cbdacdc83b

SHA256
1cf2204c92660857da48eb60e3bfbf3773ca9466b0ee94fe91abe841cf106e43

SHA512
f9ce3b68104eff1af511d584cf4d143944e752e4f4456f019f56d8b3a16478cc7288650a89760f6fa880b9b063843499f366513bf3bf5c163b56be4f4986d69f

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
a6cab32e9c569a48eef8d12da6a1251d

SHA1
84b02e5ad0c666082b77a98057f33f0b73c5541a

SHA256
b44f4fb288ce995d8d9f63576815f10a0514e6a10a3127dd30420bc1b1b8074f

SHA512
d60bde7095c7ec7ab4fee8751811ac002c088051ee7a4fe2da63731ed2158a27d3f032b757c01f63f5c2c36f2482227c59f1d4cef64aa08df35e719ac92894f8

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit