flawedammyy | a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8

General

Target

a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Size

701KB
MD5

e6eeded729ebd42a03d6d80922893a00
SHA1

5aed3518f75571f8f143f7544c8082d2ae4ac4d5
SHA256

a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8
SHA512

d87f2a9b17206122725152dccdba3d713dfbed24b5cbed68217cc8ad1ba1ec13e15bb68bfb2c4cd150573cf4b670604f8777a3b9e5df357cd9f5acc01a91316e
SSDEEP

12288:iQCs07y2blQDJy++/l21RtSckhw7hZ+Ehg3:Ys07dlQDJyq1Rtlki7hZ+x3

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e15525397535da74453b16b	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4dca1dc019b21eae52995d246e41a95dcdfed32451bb092699a9c56c0da9dae808fdddc3cc39c6430659462611437fba67bd3401efff81da483f6bfa9d06709f733142da	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeBackupPrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeRestorePrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeBackupPrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeRestorePrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeBackupPrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeRestorePrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeBackupPrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
Token: SeRestorePrivilege	4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4376	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4432 wrote to memory of 4376	4432	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe	86
PID 4432 wrote to memory of 4376	4432	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe	86
PID 4432 wrote to memory of 4376	4432	a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe	86

C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
"C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe"
1⤵
PID:896

C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
"C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe
  "C:\Users\Admin\AppData\Local\Temp\a85e5dadcd628cd78683aa30dfeb5476e77ae077a8bc27d3f9cee4c314b46dc8.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
46f2d47447cd46027ea8bc111462ee71

SHA1
06b1a1ade76182a47dafa60b7ed0ed30e4c9cd57

SHA256
450e8744dc2ba9cb1dd3d84c51d19db04fbb0335f665814298bee1a0fb80480e

SHA512
07511cc1231beadece31c694e8db2a7f517b6ad8aeceba4540ab08d7453f3cf4899e1a100f5ade63e05884fff9da5bf9da6d8b44c9582040681ad210f05aaadd

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
7390d967186b06e168b0bb9124c0981c

SHA1
5644b7a97078cf4dd2c237617a4e25cbd2d33955

SHA256
023e265e6df063ab7d3bce83e2498259cc02aa885abbc55e869687b3289df891

SHA512
f4a70a29583a678fac4e1435013e72cfad0ab45540805810d59b8356df88d9e047d27f922e84328bbfb358a4a906fa9474d8a4e4237bc695671559898f8270db

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit

Analysis

Sharing