Overview

overview

10

Static

static

10

flawedammyy.exe

windows7-x64

10

flawedammyy.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    51s
  • max time network
    56s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-02-2024 12:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    flawedammyy.exe

  • Size

    3.6MB

  • MD5

    743a6891999db5d7179091aba5f98fdb

  • SHA1

    eeca4b8f88fcae9db6f54304270699d459fb5722

  • SHA256

    fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f

  • SHA512

    9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96

  • SSDEEP

    98304:NX8jXTWmbAJDaFoKLxycZ2gzJXvXdfxs2g1ypKLC1z:NX8Dsm9ycUcv82Qy06

Score
10/10
flawedammyyevasionpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Creates new service(s) 1 TTPs
    persistence
  • Modifies Windows Firewall 2 TTPs 2 IoCs
    evasion
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 20 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\flawedammyy.exe
    "C:\Users\Admin\AppData\Local\Temp\flawedammyy.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer Automatic Crash Recovery
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Program Files (x86)\SinTech\TextEdit.exe
      "C:\Program Files (x86)\SinTech\TextEdit.exe"
      2⤵
      • Executes dropped EXE
      PID:5096
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:916
      • C:\Windows\SysWOW64\sc.exe
        sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
        3⤵
        • Launches sc.exe
        PID:2568
      • C:\Windows\SysWOW64\sc.exe
        sc description Wlanspeed "Wlanspeed service"
        3⤵
        • Launches sc.exe
        PID:3692
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
        3⤵
        • Modifies Windows Firewall
        PID:1884
      • C:\Windows\SysWOW64\netsh.exe
        netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
        3⤵
        • Modifies Windows Firewall
        PID:2196
    • C:\ProgramData\Wlanspeed\wlanspeed.exe
      "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
      2⤵
        PID:3384
    • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
      "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
      1⤵
        PID:1720
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4412
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4412 CREDAT:17410 /prefetch:2
          2⤵
            PID:3580

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\SinTech\TextEdit.exe
          Filesize

          72KB

          MD5

          00a6b8a6d0ad367a46961177f058d7a1

          SHA1

          1278c7e9243e1949d1b5b560c8a04397011e95d2

          SHA256

          49db59a95c30aa978362ca589699775932816a3a34732e398986e88fe2b779cb

          SHA512

          3aa77567476668df800fdae6bb36b75394e64a60e8d467ac0d3cb91de1738dda45fb817d913fdb6902c8c48a313b3ae2b68bb1449993c99f718bea2ae45af4ec

          Download Submit

        • C:\Program Files (x86)\SinTech\TextEdit.exe.config
          Filesize

          178B

          MD5

          7818adbecb0e6c84d976415f661a031c

          SHA1

          7cd6f603c2e5a187525fb08b2e3c941d2395ec7b

          SHA256

          6185dbac8db6eea6e1c1a01782b1deaf3ae26d1cecc7614f02ee47907e346766

          SHA512

          a37602e09b24bb517768028d0721458bf345750bcef0e139326941b10b1fe298d3b59f423b16429e9755456850a0035f555d5d1ce45dfb57ff336f65b2d89b1b

          Download Submit

        • C:\ProgramData\Wlanspeed\wlanspeed.exe
          Filesize

          3.2MB

          MD5

          7e055ac00553ce6dd611f15399b19b14

          SHA1

          e36a515e369f085ef731212d10b6d98ea506cff9

          SHA256

          ccb3eb4def241106ba92b6f476e18b529b8cd8253f25cae7cf4cfa2bb293156e

          SHA512

          7003c6ccad23d6c55edd31bf2550a0b1d6510f1b6e3ee59af8cea3e6abbfa91447ec5972c5337c4758051176b31cb58142b3393203f12dbe66ac0f1be5be3068

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nspF8C8.tmp\System.dll
          Filesize

          11KB

          MD5

          2ae993a2ffec0c137eb51c8832691bcb

          SHA1

          98e0b37b7c14890f8a599f35678af5e9435906e1

          SHA256

          681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

          SHA512

          2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\nspF8C8.tmp\nsExec.dll
          Filesize

          6KB

          MD5

          b648c78981c02c434d6a04d4422a6198

          SHA1

          74d99eed1eae76c7f43454c01cdb7030e5772fc2

          SHA256

          3e3d516d4f28948a474704d5dc9907dbe39e3b3f98e7299f536337278c59c5c9

          SHA512

          219c88c0ef9fd6e3be34c56d8458443e695badd27861d74c486143306a94b8318e6593bf4da81421e88e4539b238557dd4fe1f5bedf3ecec59727917099e90d2

          Download Submit

        • memory/3384-30-0x0000000000400000-0x0000000001115000-memory.dmp

          Filesize

          13.1MB

          Download

        • memory/5096-18-0x00000000007E0000-0x00000000007FC000-memory.dmp

          Filesize

          112KB

          Download

        • memory/5096-19-0x0000000000FB0000-0x0000000000FB6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/5096-20-0x00007FF99A420000-0x00007FF99AEE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/5096-22-0x000000001B380000-0x000000001B390000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5096-29-0x000000001B880000-0x000000001BA29000-memory.dmp

          Filesize

          1.7MB

          Download