flawedammyy | 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15/06/2023, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.5.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation	AA_v3.5.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595347c87e2536c0b16b	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 050c02851c7c86fcdf0c09424d7f47ba8dc27186aac9f0f2e8238c8e9e3bc071df37c422fe46efc2cc2a8b0686b01ac5390deb68f78534aab349f8aeba7a6723b6ce95aa	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1344	AA_v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1344	AA_v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 1344	920	AA_v3.5.exe	29
PID 920 wrote to memory of 1344	920	AA_v3.5.exe	29
PID 920 wrote to memory of 1344	920	AA_v3.5.exe	29
PID 920 wrote to memory of 1344	920	AA_v3.5.exe	29

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:920
- C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
adf0d90734ede0cba8e5f7581c088c62

SHA1
dc581e6eac6b2d1b4924e8b69279427a1db8a38a

SHA256
28b1aaa5528b50237cf8e022e188fded30a954ea04ddafc36ec62ab3407bdc95

SHA512
34a820168c674c421a630b7b0307dc33d5b22059f22c45e6ee37a9e03fa654c943a6f26b16111777902e3db3337410b259105c7b9f8f5eca9dc20c1648841ced

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
5b965065ad727ed4d2033672dd1a35bb

SHA1
fa53dc584ac476fbd044b2cd5504c5db8e0b8bd0

SHA256
472912da18ecc8fd1ed1d8ed716b0fd26dd9ddfbcfa225423856df73060ef159

SHA512
12ddabf3138fb704d60f3ee5e967e1243c395f18d3db2e08ead8447c2cf3077efebf03e098f00e3b3656dd0ab59bb33f78c533be383523865eff147bb4371ad4

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit