flawedammyy | 7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81

General

Target

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Size

751KB
MD5

1fc7c230d6db0d7a0da6f415da271159
SHA1

e0bd10d83bc7b3f1eb628974a8f690ffda6e9351
SHA256

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81
SHA512

96d64cba5bf650066e54bcb84f13aabd1992811963ae2dd3530431e86bbc3230d673545953d35767fbf85f61d86b44170d61200d1ffb4f4945268bfc3a7b1403
SSDEEP

12288:Tc1dZibTD9uOroAgeHvCUt4RtlTc+YNKpQsNvVd1gF:Tcc/DwOrZgeHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 43339c2ec504359a96f2cededed541fea8167f23b89e860e6fb8cdafa68b324155d9f7e6851dcbd012fde89493327dfe3a20a2853cf048ba1b98cc7b898350dd6ddb3909	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e15525302dd74d74453b16b	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

pid	Process
1272	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

pid	Process
1272	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe

description	pid	Process	procid_target
PID 5112 wrote to memory of 1272	5112	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe	83
PID 5112 wrote to memory of 1272	5112	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe	83
PID 5112 wrote to memory of 1272	5112	7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe	83

C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
"C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe"
1⤵
PID:1964

C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
"C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe
  "C:\Users\Admin\AppData\Local\Temp\7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81.exe"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
9ef92edc09df8b1cff4c1f38c8dbcc8f

SHA1
49d918de1658ea4dc81bd56884387f741368c448

SHA256
dbef6055dbd5d1d87f830a830921390a9d42870042c07896adb1bc8c5b7d361e

SHA512
79454d7f312ae42bddb58327b70a083a1d3f88244f734fe8812a63c41a34fac7959352da2bdcc583393ca56037cb91335f6b9904b2b186a4b7830583e77516e7

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
dd9c7c138184103fb0ec7a133177c99c

SHA1
599dc3e3ff31441c695c5b9f9e35ae9beb8ea5e8

SHA256
41f04bd44255d50a50f9a9560cdc99866cb38d4019c6dd76a2c2a8ed4c765c3a

SHA512
a0d2d2736385093e6a4cf35f7ef8a0375401c9b8a1f332a8d2aabdc10d232a83eca439502740ccbb379dee9ac51445139396d75825cf63689b053f4229bbd6e9

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/1272-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads