flawedammyy | 8493db4b27f33d649e8933ef826235515ce798b2b6dbb711b2c4582bba2274f6

Analysis

max time kernel
158s
max time network
154s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
31-10-2023 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Size

755KB
MD5

11bc606269a161555431bacf37f7c1e4
SHA1

63c52b0ac68ab7464e2cd777442a5807db9b5383
SHA256

1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
SHA512

0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f
SSDEEP

12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f7beeffa4953b26b	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 985b6fcd19b2e978f2f819312982dd6e04da01b1972add1f65df4775bea55fa869c5287f232ff7f1fb87fcee2c9d78ed61e7978ca95ea8db1aa5ff315cef8d5b3f8f4542	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2104	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2104	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 2104	108	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe	28
PID 108 wrote to memory of 2104	108	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe	28
PID 108 wrote to memory of 2104	108	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe	28
PID 108 wrote to memory of 2104	108	1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe	28

C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
  "C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
e4344a0b2c37f78ee4b2a25b4b3d037b

SHA1
c86ee83dadfb2d3549378d9e01ceb5640cb0be83

SHA256
9b70049a27015c7e935a043196ffec289549262a7dbb15736456cfb21849b0f3

SHA512
4b5553e8de278b4663400db58f48275603abee0d221bb3464e777eb803e5c7c3115906abe9686ee56067a97d1bdafb6c1e2a630f7410d1f6a42629c44e458155

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
813bc0eba5197649a1187c56a3d007a5

SHA1
6bf56c310366eab92ac784e9b5ad0d21ae4b2368

SHA256
fdac8646ab4587b43f46414c40fbc8df50ff937daea01891d6d414fdb9d3ffc9

SHA512
cbf4d26f1689aff5a245d76e748f0dd7d16a50db7dcfc0bf3035925042ec2ff3c98be266187a4ae7ce29fe741e375a2c547b98c332c897d3488a6b54d4b3967d

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit