flawedammyy | e6df798cbf2e7300cdfae4fe81f08cd56d16aff907ff7e64af41165675f0660c

General

Target

6BB935AA9CF2F6747742FC1F7A539B08.exe
Size

792KB
MD5

6bb935aa9cf2f6747742fc1f7a539b08
SHA1

49dc68bc04baf9a30906cae017df53aad9635f87
SHA256

e6df798cbf2e7300cdfae4fe81f08cd56d16aff907ff7e64af41165675f0660c
SHA512

2b092657d8c4c54969718cc92b529e040c97bb0a8ca12c2e7f5eb15b9a7535f7ad72d981b83596b2125fca9287fbdf3ba9487e981b911dea496b94a34e0d33a6
SSDEEP

24576:Oj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDgucf:OjoJ4u4zojegylDI

Score

10^/10

flawedammyy bootkit persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Blocklisted process makes network request 1 IoCs

flow	pid	Process
53	3880	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	6BB935AA9CF2F6747742FC1F7A539B08.exe

Loads dropped DLL 1 IoCs

pid	Process
3880	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	\??\PhysicalDrive0	6BB935AA9CF2F6747742FC1F7A539B08.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7C362838F3034D3337B7127ED9370B33	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7C362838F3034D3337B7127ED9370B33	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	6BB935AA9CF2F6747742FC1F7A539B08.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	6BB935AA9CF2F6747742FC1F7A539B08.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	6BB935AA9CF2F6747742FC1F7A539B08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	6BB935AA9CF2F6747742FC1F7A539B08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	6BB935AA9CF2F6747742FC1F7A539B08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	6BB935AA9CF2F6747742FC1F7A539B08.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6BB935AA9CF2F6747742FC1F7A539B08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	6BB935AA9CF2F6747742FC1F7A539B08.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = f6fb649b48c65a5b22ff90215c4e358e6deb8fb4e72e5d70fb333a39043c14986cdeb5fdb7655282ef38e9baa0b806ea32bb79948a67dd1e264bbfd411ddb422c8ba5079	6BB935AA9CF2F6747742FC1F7A539B08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	6BB935AA9CF2F6747742FC1F7A539B08.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	6BB935AA9CF2F6747742FC1F7A539B08.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	6BB935AA9CF2F6747742FC1F7A539B08.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	6BB935AA9CF2F6747742FC1F7A539B08.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3880	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2676	6BB935AA9CF2F6747742FC1F7A539B08.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2676	6BB935AA9CF2F6747742FC1F7A539B08.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 2676	1396	6BB935AA9CF2F6747742FC1F7A539B08.exe	83
PID 1396 wrote to memory of 2676	1396	6BB935AA9CF2F6747742FC1F7A539B08.exe	83
PID 1396 wrote to memory of 2676	1396	6BB935AA9CF2F6747742FC1F7A539B08.exe	83
PID 2676 wrote to memory of 3880	2676	6BB935AA9CF2F6747742FC1F7A539B08.exe	92
PID 2676 wrote to memory of 3880	2676	6BB935AA9CF2F6747742FC1F7A539B08.exe	92

C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe
"C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:3804

C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe
"C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe
  "C:\Users\Admin\AppData\Local\Temp\6BB935AA9CF2F6747742FC1F7A539B08.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:3880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
46B

MD5
3f05819f995b4dafa1b5d55ce8d1f411

SHA1
404449b79a16bfc4f64f2fd55cd73d5d27a85d71

SHA256
7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

SHA512
34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
495B

MD5
7ff699766b196eea2910dbf80ec4a141

SHA1
e2271c78274dd21260a94ab11338a055bf36e7de

SHA256
f1415a9e6dee26d716d4fbe01bc1a61d9ec95359277427136ec856b93ffc4f56

SHA512
34533a6e3c3b84a45fbda61453700bae67ccb99c15cddac45ce824e2f61812a8904f4010cc46acffd29636b1ce3f7b42e1cd9059b3e3d386badf525bb45323e0

Download Submit

Analysis

Sharing