flawedammyy | 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03920799.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

03920799.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation	03920799.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

03920799.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	03920799.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059532775e432cdc0b16b	03920799.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 331e5a25c9b7a2343eb05738993014f4b822e1f734eaa944abbb81098eacca0442f5a060c2f7c1a79929996463b343a36db920f1f45f288f21271414419f112fc28a5864	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	03920799.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	03920799.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

03920799.exe

pid	Process
1424	03920799.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

03920799.exe

pid	Process
1424	03920799.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

03920799.exe

description	pid	Process	procid_target
PID 1992 wrote to memory of 1424	1992	03920799.exe	27
PID 1992 wrote to memory of 1424	1992	03920799.exe	27
PID 1992 wrote to memory of 1424	1992	03920799.exe	27
PID 1992 wrote to memory of 1424	1992	03920799.exe	27

C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
1⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\03920799.exe
  "C:\Users\Admin\AppData\Local\Temp\03920799.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
ab4704336751783ee23024e9c66297a3

SHA1
4e1ebbd27fcd5d3fad83d81e9829ba303b5eced5

SHA256
83bf5940f6f00b4f1b8bffea2ce12c178f39f10376a507d152e4009392025171

SHA512
0b6d55175f9d298278ebbdbca5f151453e306c67c212b0f4d9e1c17ddd4390322935e21b7dfcca4cef6fdf7829388c426809aa25a9ca6ba32fa9fd79fe34b4cc

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
1c8878490a89e54c9f76fe825df1871e

SHA1
8195988e9538cccf50dbae9f68178bcdeb1a92f7

SHA256
28b5f435e5d01dbbd9052f0cf9312b89d5fe77a7cef5d3d594c028e67cbb67fc

SHA512
f7e35532729c6406e60d7f46b9f5592deb9578abfe6266317bbbafca05ca4038b9f700e147f5c7300cdb7e6861329e7c73bb289084f692820db8c8e1e0f8e0dc

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit