flawedammyy | 68fc88238de071fbdc5f7e1c9771adec1bca2903752f148e6cdb7ea6e796a966

Analysis

max time kernel
160s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 02:04

Target

dll/UzakYardim.exe
Size

740KB
MD5

10a524d7ac94678ae286b065421647db
SHA1

b538e3f113817c8237419310ef47817d1d961fa9
SHA256

55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
SHA512

928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
SSDEEP

12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

UzakYardim.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	UzakYardim.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

UzakYardim.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 3c4275956e084c551f51359ac4598ada24323bb371a316aebe0f57d6ac29bdd81f479d0566a7042bd557cb35436cec6843032c713784344f87ba74a3f044e3a40755c0c6	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552534c49e12c00f1b26b	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	UzakYardim.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

UzakYardim.exe

pid process

1052 UzakYardim.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

UzakYardim.exe

pid process

1052 UzakYardim.exe

pid	process
1052	UzakYardim.exe

pid	process
1052	UzakYardim.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

UzakYardim.exe

description	pid	process	target process
PID 1616 wrote to memory of 1052	1616	UzakYardim.exe	UzakYardim.exe
PID 1616 wrote to memory of 1052	1616	UzakYardim.exe	UzakYardim.exe
PID 1616 wrote to memory of 1052	1616	UzakYardim.exe	UzakYardim.exe

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
  "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:872

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
53f437f6a449644487197166b978ef92

SHA1
4114ef8c4cd50d6cc217f1b501faa3c16a4b4322

SHA256
aa1bf51d7e152eb77ef5a29f2fc15db0839889b030c509d24981b4bece24bb82

SHA512
c8bae2df7d50985d9918b088e9053f7ba1050e68a843ad84e87ddcd6cecc8ca86e12b1b351b6730cd8319bfd8c3a62883c1183674e2af5d503cf337c043954ad

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
06de8f37317bf933f058ac060d267a4a

SHA1
e607f94f33a3a3506a5aa0caef9ab797f6fa4edb

SHA256
4e83c71bfecc11a9b189a9adc1edf6ceb1d0e203ea4e66b111fa1aaf4c3fc687

SHA512
c9305e3bcbe585598bcedf76aa03861c69e861713f2f9c9c60742e7ad42a697453158a66d6bdedf0ee35cd6cc778a6e96b0f278e9d69f33db12c9f96c3850559

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
331B

MD5
c5b80443bc31f2f5c1d2e384c3b82961

SHA1
445a99fa06484d216276b9284eedf25483780216

SHA256
cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

SHA512
eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

Download Submit