Analysis

  • max time kernel
    160s
  • max time network
    167s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 02:04

General

  • Target

    dll/UzakYardim.exe

  • Size

    740KB

  • MD5

    10a524d7ac94678ae286b065421647db

  • SHA1

    b538e3f113817c8237419310ef47817d1d961fa9

  • SHA256

    55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4

  • SHA512

    928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b

  • SSDEEP

    12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
    "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
    1⤵
      PID:4424
    • C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
      "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
        "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1052
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:872

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\AMMYY\hr

        Filesize

        22B

        MD5

        53f437f6a449644487197166b978ef92

        SHA1

        4114ef8c4cd50d6cc217f1b501faa3c16a4b4322

        SHA256

        aa1bf51d7e152eb77ef5a29f2fc15db0839889b030c509d24981b4bece24bb82

        SHA512

        c8bae2df7d50985d9918b088e9053f7ba1050e68a843ad84e87ddcd6cecc8ca86e12b1b351b6730cd8319bfd8c3a62883c1183674e2af5d503cf337c043954ad

      • C:\ProgramData\AMMYY\hr3

        Filesize

        68B

        MD5

        06de8f37317bf933f058ac060d267a4a

        SHA1

        e607f94f33a3a3506a5aa0caef9ab797f6fa4edb

        SHA256

        4e83c71bfecc11a9b189a9adc1edf6ceb1d0e203ea4e66b111fa1aaf4c3fc687

        SHA512

        c9305e3bcbe585598bcedf76aa03861c69e861713f2f9c9c60742e7ad42a697453158a66d6bdedf0ee35cd6cc778a6e96b0f278e9d69f33db12c9f96c3850559

      • C:\ProgramData\AMMYY\settings3.bin

        Filesize

        331B

        MD5

        c5b80443bc31f2f5c1d2e384c3b82961

        SHA1

        445a99fa06484d216276b9284eedf25483780216

        SHA256

        cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

        SHA512

        eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97