flawedammyy | 51112c067bd5c87a44698ec80bf9873160eee16b2d7c9775786e41724a06ecd7

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 19:19

Target

dll/UzakYardim.exe
Size

740KB
MD5

10a524d7ac94678ae286b065421647db
SHA1

b538e3f113817c8237419310ef47817d1d961fa9
SHA256

55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
SHA512

928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
SSDEEP

12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score

10^/10

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

UzakYardim.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	UzakYardim.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

UzakYardim.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c401452538853b0cea389b26b	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = cc306e585b844bcfdbb376b88472534743c7bda57eaf154a5d5da214d2128e843cbf07ecca0bdd8e26bf59ae004856738eebf48b730490b83e75be467dc76dbdf4b9a4bf	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	UzakYardim.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

UzakYardim.exe

pid process

1676 UzakYardim.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

UzakYardim.exe

pid process

1676 UzakYardim.exe

pid	process
1676	UzakYardim.exe

pid	process
1676	UzakYardim.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

UzakYardim.exe

description	pid	process	target process
PID 1936 wrote to memory of 1676	1936	UzakYardim.exe	UzakYardim.exe
PID 1936 wrote to memory of 1676	1936	UzakYardim.exe	UzakYardim.exe
PID 1936 wrote to memory of 1676	1936	UzakYardim.exe	UzakYardim.exe

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
1⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
1a8748a47e5d485c4d33ebb9dce0ee7d

SHA1
39de49c4af986cbb529f21491708f9e12684d803

SHA256
bab606ce099249c2521c112248b87e6e0b805bb1063584f1ff83385bd9e3c0ad

SHA512
2d6e05023ff270a75e1a072d699b1410320516e3c05cd18f6ace296a48cb244f63b749f5904adedee4c8a95eab439e02380ef04cbab8be5a696489be10f89559

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
639cd98241967f2b96f2733aadaf76c8

SHA1
57c139bc0d9da1c573ccee33a97cbd850dcc959e

SHA256
d1cd0baf7353b10ed28c42ebcfd873ed29ee76943730a32a42e93ec197e78ef2

SHA512
0bd1278a6bc3322e4558d189487bba996065502cb3315405826a66085a38b26057f114ed5c4f919bd97a3e2148fb9d2379da65bd1e1a549951cd6a246212bb5d

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
331B

MD5
c5b80443bc31f2f5c1d2e384c3b82961

SHA1
445a99fa06484d216276b9284eedf25483780216

SHA256
cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

SHA512
eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

Download Submit