flawedammyy | 1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
21-07-2023 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

755KB
MD5

11bc606269a161555431bacf37f7c1e4
SHA1

63c52b0ac68ab7464e2cd777442a5807db9b5383
SHA256

1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
SHA512

0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f
SSDEEP

12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

aa.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Control Panel\International\Geo\Nation	aa.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

aa.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	aa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953778fa4e0f0e4b16b	aa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = bba0456b1ea929a129802462c6c1ac32454e39c12dde3e5eb0edf9ed8d6f44ca43e75b5daa6d4edb778f0ec9f69b583c3d475d66397c9ea853a6b73a1edbb1568010e574	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	aa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

aa.exe

pid	Process
2192	aa.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

aa.exe

pid	Process
2192	aa.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

aa.exe

description	pid	Process	procid_target
PID 2184 wrote to memory of 2192	2184	aa.exe	29
PID 2184 wrote to memory of 2192	2184	aa.exe	29
PID 2184 wrote to memory of 2192	2184	aa.exe	29
PID 2184 wrote to memory of 2192	2184	aa.exe	29

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Users\Admin\AppData\Local\Temp\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\aa.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
6398fea9db73a724733c36fdde4d3c3b

SHA1
0580e200a704cb47d350d11b08960e648f4fcb88

SHA256
04c5d07711893cac4b5b505387a830f59bf40091ddf3aa3d2430fd3c7de7b58e

SHA512
1380b5694028afcad12222108d615c803be6b3d63880dd962f545d9c65bdfc431f67bfb96390e036b02324f5500959f31740263b66403915533926a278bce8af

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
b8108776359748e1b29f0aefc09feaa6

SHA1
fcdb7daef8e8a2734231686e23af4550450a5d39

SHA256
931a2d220303bcaeec21a5e4e21927e8bed241124c760ebcade14355346754e5

SHA512
5b7b2977cef9792d2e4e27fdd8fd38238328e763565a86095af71da3bc111f5e0455ada24ea14d791a3ce9145b523256e7e6e081a223fbb42dce189ad16dc8b9

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit