flawedammyy | 2295b2dd1806bd36a6e392cd7147368c817cf2a03d04ffa2d0577d18fd465204

General

Target

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Size

750KB
MD5

26c5005b85c01d3d38213a1f91e4f37f
SHA1

8612bbad1bdb8e8ee4d2d09d49794e5e90eb74e1
SHA256

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404
SHA512

e18284fdd4701225d23236e723e5cc7d03aa8642852a76907441ff63a00d8141b4ef999f0fba2ca2d4caae1e865c98b803e3efcb36139b3667fe4a5149c2f83a
SSDEEP

12288:4eZpoosVoyMZ19L4t1/TdEv4Rt1AD6x64+6dsavVUWgJ:4etSwZ190t1/Tm4Rts6wlAshTJ

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953779a63a3217bb26b	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb249cff547072c67d3b71518cf1a555ea3cecb630aaa79449b04fd707c4b4a3baec3a19c87668b6e93af60c01eabf768126198f4caafa4a70d426a70f189eb297e199de	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid	Process
2620	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid	Process
2620	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	pid	Process	procid_target
PID 2452 wrote to memory of 2620	2452	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	29
PID 2452 wrote to memory of 2620	2452	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	29
PID 2452 wrote to memory of 2620	2452	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	29
PID 2452 wrote to memory of 2620	2452	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	29

C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
1⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
  "C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
6a96ee96670ef4bacdb4ec11eb4ac571

SHA1
a93cffb624b317889468c2ed1145eec0bff1e4d9

SHA256
6103a4b5b392766373a83be7eaf1fbf7f2e53b6d2579bce7e7189c10477a0496

SHA512
bffec1abfa5489f837d17a3651b491c01591f3cc21d27672a6e05c872be63ba527e38d44b0da67f50ef89c04f758e5010b43a9cef4ada3f37af9bcacb52ae1c3

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
334b86b448ba57cc53b675725af1e2ae

SHA1
b8592f3ee4a02a9440c482c24aceac152e2283c4

SHA256
b21bdd50799ac82e98c1df7e68d16f3cecd8743464ea017f0648ab38b7e33277

SHA512
892033d019b17580b739359f9363a8de44840dd0a0457e36b498592068c6091bf45a8703002892f12f98b452d00c52c7a3333ae9d7f1f85b17236527bd2484ce

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads