flawedammyy | 8392bb9829d425f7c8c21155527f8a6b06ae2b2652fb31fd49f5de998c7e2afc

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
09-07-2023 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Device/HarddiskVolume8/UB_AHO_AG/krbiju/[email protected]/LTP-484/Data/C/Users/KRBiju/Desktop.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Desktop.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2813141852-3076131560-4232376420-1000\Control Panel\International\Geo\Nation	Desktop.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

Desktop.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Desktop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953b7a8bb5070edb16b	Desktop.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c61c3b62107372c67d3b71518cf1a555ea3cecb630aaa79449b04fd707c4b4a3baec3a19c87668b6e93af60c01eabf768126198f4caafa4a70d426a70f189c88d7a4060d	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Desktop.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Desktop.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Desktop.exe

pid	Process
2952	Desktop.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Desktop.exe

pid	Process
2952	Desktop.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Desktop.exe

description	pid	Process	procid_target
PID 1212 wrote to memory of 2952	1212	Desktop.exe	29
PID 1212 wrote to memory of 2952	1212	Desktop.exe	29
PID 1212 wrote to memory of 2952	1212	Desktop.exe	29
PID 1212 wrote to memory of 2952	1212	Desktop.exe	29

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe"
1⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe
  "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume8\UB_AHO_AG\krbiju\[email protected]\LTP-484\Data\C\Users\KRBiju\Desktop.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
e25007eb0f790cb10abc9cbb0bb750d3

SHA1
bbc41fbd6921709dcbefcea4b9be3555be91ae61

SHA256
42da5b27f3d8e5c645674c0d4c48206ffe3a945ac447aca0464a6a92ec758623

SHA512
75a108c93524ff01b4f28da730d4d3bd2da6f9af57c65194d671a8a24cbd99860be6eade273d3f29f7c346017334a2dd5a35a4059060e1ccc50e3b005a4a216d

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
289122cb9c0645a921913f2b92b1d793

SHA1
b1b712cf2f828b579f589b186c1b68535e9e0e1b

SHA256
1525fde0c76292d780e98397ec8bd93b7fc35ef5f4d482857a321d61060898c4

SHA512
ae9850c5fb86a973ab751679c43be711987e254fe758c1976cc14a484ae4dd9f33226bc9c13b52b23a3c4708d36eb210962036e40e590574be33c58c035013fb

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit