Managed XDR

uniqsvr.exe (FlawedAmmyy) — malware analysis report

File info

Filename
uniqsvr.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
756.5 KB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
83e59f58028dcf89c668003d2fb680468ac83db6
SHA256
00dfe3981c5da24e4d0ce0585735e3be0f8eccffd0b371c2b21786af4955e6b9
MD5
4a512f1bc89d731949631f44a3546ac0

Malwares

  • FlawedAmmyy

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Persistence

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key

Privilege Escalation

T1574.011 persistence_services: Modifies Services registry key
T1543.003 persistence_services: Modifies Services registry key
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1574.011 persistence_services: Modifies Services registry key
T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1497.001 antivm_queries_computername: Retrieves the computer name

Discovery

T1497.003 antisandbox_sleep: The process attempted to slow down analysis
T1497.001 antivm_queries_computername: Retrieves the computer name

Other

yara_rules: Static rules
dead_host: Connects to IP addresses that do not respond to requests
no_graphical_activity: No graphic activity
origin_langid: Unconventional language of the executable file

Related reports

Managed XDR