flawedammyy | 43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153

Analysis

max time kernel
155s
max time network
161s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.5.exe
Size

751KB
MD5

5686a7032e37087f0fd082a04f727aad
SHA1

341fee5256dcc259a3a566ca8f0260eb1e60d730
SHA256

43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153
SHA512

0ebd95b20ef54d047fdaec37cfb10e2c39ea9d63fa28d6a6848ec11b34a4c4ec5f7a8a430d81670461203b9e675ac4a32cac3da4a1c471f16e8d003c6dea3345
SSDEEP

12288:oPO1fNZApVuCN7e/yalnM4RtjLDXcbOAS3snvVgbgJ:om1fN6pkCNa/yaq4RtjXcu3sSEJ

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AA_v3.5.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Control Panel\International\Geo\Nation	AA_v3.5.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

AA_v3.5.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059530750caf271e5b16b	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c3584e9c55d0467df4492d364e6efe75d9202ef37cbc48ddaa10c6631b63e21a75ea3825f370f6d9cbb71b0014c35305fd376e79e489ba24f6d3e1d648314f7aafb4b50d	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AA_v3.5.exe

pid	Process
1952	AA_v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AA_v3.5.exe

pid	Process
1952	AA_v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

AA_v3.5.exe

description	pid	Process	procid_target
PID 1628 wrote to memory of 1952	1628	AA_v3.5.exe	31
PID 1628 wrote to memory of 1952	1628	AA_v3.5.exe	31
PID 1628 wrote to memory of 1952	1628	AA_v3.5.exe	31
PID 1628 wrote to memory of 1952	1628	AA_v3.5.exe	31

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1952

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
9040e8bf10b895574f71a1b5b456463b

SHA1
dacc87b09a42bfc6a8d59bf76ea7dc76d0353d00

SHA256
c38bf5c3488a1d3d7d3a8605d8803060d3846574acafa1a8a72f1bcae39b6292

SHA512
ffb004c2e1788ddc7a76bfa12379bb9b37172d54ef1c203f829285e8448bd8d4bf3a9d51665cfe226a0d27b0def6d563a9f1451fed32352f0c5a5b5a5c4107bd

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
e0b525748cd8a465097fe51cee75b775

SHA1
3028da90bb60dfe7899fd40f9d6d5b5af0fd1d82

SHA256
2a2a3a728e7908077cdbf7001fbe122fee6c1f4c84e445317feffab1998343af

SHA512
8eb4110e6dd9d88d170eec244d9fa883e4c1e5587e56e6e3ca29b054668e19c67b90ed373d304d9d6a558ab6cab1b70fd39c2e2fb694253b6a44720691b3013c

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit