flawedammyy | d40612998412aab4203e0fcb372a77110d851f4dd05ed19714187c518c6983ab

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
03-07-2023 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume2/Rahman/Shared_Document/Discoverer/Softwares/Remote connection softwares/AA_v3.5.exe
Size

746KB
MD5

2cbf5657ffd8858a9597f296a60270c2
SHA1

b130611c92788337c4f6bb9e9454ff06eb409166
SHA256

9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac
SHA512

06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b
SSDEEP

12288:6NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:6XTszE7PTgM0YOgA4RtcbwhsSYFVL

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Control Panel\International\Geo\Nation	AA_v3.5.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f73fc94d3ff2b16b	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9822129f26ba988ab4cd9fbcfeb1b718497b12c8af55a2fd9c2fccf836ee9b47ab42adbb9a564acfdddc17b061532586a1297be2c224accf50a83709423b8e2bbf09b3f5	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
872	AA_v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
872	AA_v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 872	1984	AA_v3.5.exe	29
PID 1984 wrote to memory of 872	1984	AA_v3.5.exe	29
PID 1984 wrote to memory of 872	1984	AA_v3.5.exe	29
PID 1984 wrote to memory of 872	1984	AA_v3.5.exe	29

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
1⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:872

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
edc78883b0c6f8b4067613814ece8c1d

SHA1
7284bf4e565930ec6d04c9bef45fe03a83745219

SHA256
228c1e8840d05f133ed9b49fdd12d5958f78a8af244b3ee6a13daa514505d76a

SHA512
ddd479882fc79eec5685acbda83a4ccd308eada96eb0359741edf442d9af5586511908e907a3795a6d0bea6a9538d46e1901e0b2bdb120f50f46d44f27edac4a

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
6ff74a1430e717a590bff4d881aaa871

SHA1
3b9f1f47b53721482050f54767f539137ce07d5b

SHA256
178b029169300c629d6b5dcb6dd95bff9657d25345f8fc0edfc1006df4ad79fd

SHA512
afc38add0726c14deb8d8dffbca65cc73b291dbbb57d409de686a56d46464b9fa7adcbf01eae8860831830539ad480faef8de6d9cd3d5a2c4983701eada02674

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit