flawedammyy | b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
26-02-2024 14:14

Target

ammyy.exe
Size

726KB
MD5

d22d719495f23e38805bbea5df434abb
SHA1

3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf
SHA256

b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20
SHA512

d87670775d222b25b329377c8d26c2a4c88ce6b1aa1d6fc004b95ad93f377fd56fb03e709b4b61b26c4fcf06fe477e42afe9f9715884ea91699548b1e4d4a4c7
SSDEEP

12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

ammyy.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	ammyy.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

ammyy.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552538a86482bf637b26b	ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = db291f8964a17b89426e109ff94cfa7514e415d8fa319e63575a8d17c35a2de3c2e024f6280e32a57b0307ddceec8a9e5c8e40c40a6cabcca70e221a96436ff5a4bbd0e6	ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ammyy.exe

pid	Process
388	ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ammyy.exe

pid	Process
388	ammyy.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ammyy.exe

description	pid	Process	procid_target
PID 1860 wrote to memory of 388	1860	ammyy.exe	88
PID 1860 wrote to memory of 388	1860	ammyy.exe	88
PID 1860 wrote to memory of 388	1860	ammyy.exe	88

C:\Users\Admin\AppData\Local\Temp\ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
1⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\ammyy.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Users\Admin\AppData\Local\Temp\ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:388

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
ff811b9d71241b4a18884fbbb91f0a28

SHA1
3b6c0f9865110fd8e3db908d7008ebbcdcdd1ff4

SHA256
5edcf2d34dfc7a2bbc4092b88d8f2108660c478f9f1085e7d42372df2ca2ac5b

SHA512
336222eaa521e1208a452a09c39e8dd044aa04d8d6b40c064031e577c3656a90bc616f87e88d7e04040bc9efa824e2ca56bb9d77f1e583d0eb9fb2a9c02c029b

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
27586576b9be4a01a2c57f00bbc85054

SHA1
cc8f48dc3998cae1776b0e5defd15d2a2197eed7

SHA256
49e073a6469bbe59dc27a4783e0d0934f19f5e5a3181f0974f6d7d03c0b85226

SHA512
c5d5ff98917542a1b3b9f3e2ee19888932b61bb2abe126b8c7f74c5bfaf756d9aefd3a2debc8ee9f86f43ebf41e0d376ca03f6588a8510ef91e508311f3860f7

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
e4f7224ed356915816bebb715326d18a

SHA1
8b441bb4276212b9e774cba75fdbb723cb68af93

SHA256
74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c

SHA512
5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

Download Submit