flawedammyy | 4731517b198414342891553881913565819509086b8154214462788c740b34c9

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 19:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GWPEx64_10_07_2018.7z.exe
Size

726KB
MD5

190785b2bb664324334c1b5231b5c4b0
SHA1

07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256

4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512

ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c
SSDEEP

12288:8YdNctvsfu2LVBfKf057C9lRt3i5olGJsxhzagH:HdNikfu2hBfK8ilRty5olGJsxNH

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Control Panel\International\Geo\Nation	GWPEx64_10_07_2018.7z.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	GWPEx64_10_07_2018.7z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595317506774e6e6b16b	GWPEx64_10_07_2018.7z.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 4fb5938403bc6e76f1d82b8bd834f1ec766787074dba5046a00d74625364fd22ce0b1b2ebeec0febf7dbcdc45e9271be6508e39a63e88f8549e09adfd305a6d652087109	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	GWPEx64_10_07_2018.7z.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	GWPEx64_10_07_2018.7z.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	GWPEx64_10_07_2018.7z.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1692	GWPEx64_10_07_2018.7z.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2620 wrote to memory of 1692	2620	GWPEx64_10_07_2018.7z.exe	29
PID 2620 wrote to memory of 1692	2620	GWPEx64_10_07_2018.7z.exe	29
PID 2620 wrote to memory of 1692	2620	GWPEx64_10_07_2018.7z.exe	29
PID 2620 wrote to memory of 1692	2620	GWPEx64_10_07_2018.7z.exe	29

C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
"C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe"
1⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
"C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2620
- C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe
  "C:\Users\Admin\AppData\Local\Temp\GWPEx64_10_07_2018.7z.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
93a5e49b797ae6c0cfd5bd70b236900a

SHA1
007cd94111ba4d5c2f25063024df842ff471713a

SHA256
fffa954f1d49f95e6b1ef50a70782e73714e6705ee97b73976e3291091573adf

SHA512
6829e685d57a06ce8425c6fe8089ab043e9f9181b7251c389a15ff6ac9734730a6078044117b55dffdf0895095c873b0b3238b3a4dad990639db9eb4f4d637e1

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
7475de667a764c40ea276c4f19599aef

SHA1
fab2077f05da7e2b059921bf0710602b85bd3c21

SHA256
ccb6c95ab84c6a80a7bd4512f282a216b564a0b6d94096102726cf9378f82c0a

SHA512
6423241b89e2a55eb1956c1640897553037a6f41a35ad3b629448e0aaf97c701f48e623259c32fc69f58e6761286b390eda0bd41e0af9d3e88dd0d3d4c4f43ad

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit