flawedammyy | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Resubmissions

17/10/2023, 14:16

231017-rk8n9scd4t 10

17/10/2023, 14:14

231017-rj57racd3y 10

18/01/2023, 09:10

230118-k42xhadg39 10

Analysis

max time kernel
121s
max time network
29s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18/01/2023, 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

798KB
MD5

90aadf2247149996ae443e2c82af3730
SHA1

050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512

eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
SSDEEP

24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score

10^/10

flawedammyy bootkit persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tmp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2036	tmp.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2036	1272	tmp.exe	29
PID 1272 wrote to memory of 2036	1272	tmp.exe	29
PID 1272 wrote to memory of 2036	1272	tmp.exe	29
PID 1272 wrote to memory of 2036	1272	tmp.exe	29

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:1204

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
327B

MD5
2b01cf22aa01a589a15509128d590117

SHA1
5811b21161dec9e0c36e1d2205b6b9a30a98bb5a

SHA256
07111154c7331970c9214da54a53c9675844cc400f419ae8ee3b8dc4dc7ce798

SHA512
64604fbea7ce3be25acca4bba253bd204e35eb522b977ce20cceb0ff651e276c5492e148c17d416a4f531ae89a598da119e32a946c9e1876abfed17d40b08c7d

Download Submit
memory/1204-54-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download