flawedammyy | ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168

Analysis

max time kernel
152s
max time network
160s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Size

684KB
MD5

a0a4d0bd41b9c117569f8a1e46a00a3a
SHA1

add33562f3ddedf3c5fb89814f26eb46f90d8d34
SHA256

ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168
SHA512

63be9ad4ee7859c1b900d8568f8acdfa52dccf1a1576e9d66a50e9da73d19e8225dc1ceb43b8e659081b7cf85c9122ee3aa75caa98aec4519d12abe728fe6618
SSDEEP

12288:dqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCzzgf:wOPMrGL+FKNAe1RtkzepMqBCIf

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\International\Geo\Nation	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059530730a0a4e253b16b	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c3f9b94debc3cf8f4b5c8892055463c47daec48c81cabe1b67fb6a1ec5a076b04708b3feffd4bc470abb20da99db9432afcea4c6d0dbe84b7718a4613f766ccf5e57c083	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1344	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1344	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1344	2008	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe	27
PID 2008 wrote to memory of 1344	2008	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe	27
PID 2008 wrote to memory of 1344	2008	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe	27
PID 2008 wrote to memory of 1344	2008	ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe	27

C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
"C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe"
1⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
"C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe
  "C:\Users\Admin\AppData\Local\Temp\ebc69b5bde229922bf3067e8943a476a38c6914f727323bef5908fc46ae29168.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
abdccc1ba8f44b46d09d0722bf7f0a6f

SHA1
2a60be4dfcde78cdfa55a3a5ad92fcfb191eb209

SHA256
e5e010b01c79ee0bdecda9d07354a93ceeff96f361a460beca8d3f89bbe2e3e2

SHA512
2090ef2340895377de2791cf25a22e20e2af1933de0f92fbe4abd9dc9cc42cce45544eb65c61dfa85e0adb98d182cbca8e98eb078d4a5d58bafba9d454c60eb0

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
3be06e1331bd8e37480a6c2847e3de2b

SHA1
fad35f3cbd19dd17d471078365b762bc07a12d8d

SHA256
9ecbe2a99eb61a9679fdcad032a866ace54ca476fcfe2724ac942dd271f45ec3

SHA512
bc7aa8d533a1c5f9179872146a1b1bf9df1a53f46ccc758295464e34978d1e77be6478cea6c9566f889cbf356bcca085efcec2246a471885ee9f88f560b1c8e8

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
353B

MD5
f8c4c4c5c7319a68e08a5deab9f4747b

SHA1
5d254e10e2dc743ed090cf50596b8171d08114a4

SHA256
1236d3ece02c9d7ddae10e77775549f25a6f767b13bd116684c84c2e88a90de2

SHA512
1f5dca6908ab2a6dc8ba8f355f999d3a6d9c6cb322d7e1f067069be8de2a3300c8a48c23c627de2aedac45e694821936e081c9109c927ac2e3f30997a33e8398

Download Submit
memory/2036-54-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download