flawedammyy | 65d4e85c117014155b266f2785d05bac7530bfd3eff04d2804cc831e464962f6

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 15:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dll/UzakYardim.exe
Size

740KB
MD5

10a524d7ac94678ae286b065421647db
SHA1

b538e3f113817c8237419310ef47817d1d961fa9
SHA256

55daa062650d42e0feabc5ae1c3e4a7f68d4f8a3c69be375a0abc7bf3e1efad4
SHA512

928b0e712e604a5ba9580ff6ecadbdf77e2fda6847b11366ce929281ae8e5e3a633073ff07176989ddcb5f8387c6f7c061729af99b61a23a319ddeb7d63ace1b
SSDEEP

12288:pUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjmgvPi:ZpJJWOwlaUPcWWwRZb4Rt+N5WMasHDy

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	UzakYardim.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	UzakYardim.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UzakYardim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UzakYardim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UzakYardim.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = d463288fe2b2e978f2f8193129cb260ab14f0b2fa632465a77764165450a1a569e567adc8cce05378ff608c78c52f67d22a345645fc308049f2fc5d1f521af7b74920493ae873654dae6d8	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	UzakYardim.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	UzakYardim.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	UzakYardim.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752539c3eafa883a8b26b	UzakYardim.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5088	UzakYardim.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
5088	UzakYardim.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 5088	2828	UzakYardim.exe	93
PID 2828 wrote to memory of 5088	2828	UzakYardim.exe	93
PID 2828 wrote to memory of 5088	2828	UzakYardim.exe	93

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1900

C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
"C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe
  "C:\Users\Admin\AppData\Local\Temp\dll\UzakYardim.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4304,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4036 /prefetch:8
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
71a2f293f1348faf34d576cd618740ab

SHA1
110413d7020e59c59f7b2d800a4cfa64857d86d9

SHA256
88e0734a5294240da4a8a8606bb32a40324ec80e33871d05ddf171e5a9ab01b4

SHA512
a6ab2711e8bff8e99ede2da5e3ee93b75330f5b082eb4a5659b5cacc648b6e05c6045dd36308caa6ffd56a0ec309b5b5081dc65eb36b3bc1f28c94442b8f75f4

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
b1f44194d86bbc977f1c34a598900e59

SHA1
aca7da67f0a4e24d2faf0693210a8422b29a9bbd

SHA256
b567168244feeda2ff4bacb22668b57bbba3cf51b4c5821ff4934b71960a9bc2

SHA512
8cfd643c2230652b5cb4c2a5e4a42bfec3c8368f21c6df3ad48d48f983920dfae5b3c5a7e662fb170c67465d0d8e6433b629095cd55a6b4d9df5b395dbe9673e

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
331B

MD5
c5b80443bc31f2f5c1d2e384c3b82961

SHA1
445a99fa06484d216276b9284eedf25483780216

SHA256
cc8225e7412000f34a92f118af842d585d575498f36fe772dedad9f88c1fe5ad

SHA512
eae9247b9a1abbf8822ce65dbfd2db9b59a57367c7885614b89b8608688753e0c71fc8c955eb1493ef4dd7ba952760ff3476e05d9c177fb40661765a9e408d97

Download Submit