flawedammyy | 04df4d095a36105942be8be5c147948a99581b6f09c4d17c3e69345a4f2905f7

Analysis

max time kernel
152s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08-03-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll/UzakYardim.exe
Size

740KB
MD5

10a524d7ac94678ae286b065421647db
SHA1

b538e3f113817c8237419310ef47817d1d961fa9
SHA256

55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
SHA512

928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
SSDEEP

12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

UzakYardim.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	UzakYardim.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

UzakYardim.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953d7e4cb50152eb26b	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 1cb1ded293430ab46e6fbbee0189cf4e06dcf2137dbf1f75892187eaa2ce6fc91a791a2b698f1ad118be6025ea56908c1daffe996c9cee4224ef1ef2143217a8e24f38b7	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	UzakYardim.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

UzakYardim.exe

pid	Process
3060	UzakYardim.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

UzakYardim.exe

pid	Process
3060	UzakYardim.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

UzakYardim.exe

description	pid	Process	procid_target
PID 1408 wrote to memory of 3060	1408	UzakYardim.exe	29
PID 1408 wrote to memory of 3060	1408	UzakYardim.exe	29
PID 1408 wrote to memory of 3060	1408	UzakYardim.exe	29
PID 1408 wrote to memory of 3060	1408	UzakYardim.exe	29

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
1⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
  "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
095e0c48b147f8500d8947666b692832

SHA1
eaed6f78e9e1be9b5427d52f5de17e1dcfa1203d

SHA256
962bc7d1465ec9c751ccde5e29142e135482642d14356a0172f95b2efc4d9547

SHA512
a77b279db7cb537c5e5f18ac77f843f3e6122efae52dd62d63f6183f2f93de8fab9f020f4203e4267f664f88b3ff02b9f2d3373206a6f9fc6461b46497f5cf50

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
9278c9af59703ac4e7c5a8bcdd06eab0

SHA1
1911ee5f6edf793e62b163fb51e45d5fb93755cd

SHA256
768aca91ecff7ed0ad4fe89b4ff7562bc03794aade06054a7fd568ad13fc39a4

SHA512
81a4e891bfbfe0d65e8ce9532043d565def713408693b3d251787041704753e014a12e5a7185b681a318bfe569a2e72d1d37908c23f88e88562d51afb99f4cdb

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
331B

MD5
c5b80443bc31f2f5c1d2e384c3b82961

SHA1
445a99fa06484d216276b9284eedf25483780216

SHA256
cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

SHA512
eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

Download Submit