flawedammyy | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Resubmissions

17-10-2023 14:16

231017-rk8n9scd4t 10

17-10-2023 14:14

231017-rj57racd3y 10

18-01-2023 09:10

230118-k42xhadg39 10

Analysis

max time kernel
120s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2023 09:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

798KB
MD5

90aadf2247149996ae443e2c82af3730
SHA1

050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512

eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
SSDEEP

24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score

10^/10

flawedammyy bootkit persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	tmp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 4916	4128	tmp.exe	81
PID 4128 wrote to memory of 4916	4128	tmp.exe	81
PID 4128 wrote to memory of 4916	4128	tmp.exe	81

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:4504

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
327B

MD5
9d72cafb4d5e32f891be28c18e7cd142

SHA1
22d773ef5de91fef33752b4ce666d24d9aa37340

SHA256
de8fcd4ebed6f464b6bc75125c49b79fd78eb125efa22072abfc6cf591159865

SHA512
3fbdcd3997b8c9b7b5cd8cf1db5691b8050ca26bcc5d7d139dd3bded617971f523e0effbc88d357b0eddef4f4951a322346a6c12d14a2cfbf98b2b2f3a3dce2d

Download Submit