flawedammyy | 2295b2dd1806bd36a6e392cd7147368c817cf2a03d04ffa2d0577d18fd465204

General

Target

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Size

750KB
MD5

26c5005b85c01d3d38213a1f91e4f37f
SHA1

8612bbad1bdb8e8ee4d2d09d49794e5e90eb74e1
SHA256

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404
SHA512

e18284fdd4701225d23236e723e5cc7d03aa8642852a76907441ff63a00d8141b4ef999f0fba2ca2d4caae1e865c98b803e3efcb36139b3667fe4a5149c2f83a
SSDEEP

12288:4eZpoosVoyMZ19L4t1/TdEv4Rt1AD6x64+6dsavVUWgJ:4etSwZ190t1/Tm4Rts6wlAshTJ

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253a333f8be217bb26b	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 938ec398ecb9988ab4cd9fbcfeb1ff1cd80dc7c9f8d1ee7154ccba6b5911d3c0a4e100d7d4c6fa72f45577b2dde3c831bfa247faf176b0cb43390433a586d4abc280518c	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid process

2596 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid process

2596 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid	process
2596	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

pid	process
2596	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

description	pid	process	target process
PID 4132 wrote to memory of 2596	4132	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
PID 4132 wrote to memory of 2596	4132	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
PID 4132 wrote to memory of 2596	4132	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe	7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
1⤵
PID:560

C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:4132

C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
2dcaf8ecadccbeabce8cf6ee57252313

SHA1
d54a37df9b89c83e3f1436020d0322bc803b3cf1

SHA256
5f27342a029bcede51ef9379a9d5e7629ae2332d8a4f00d14c24138d3b7daee5

SHA512
7434d7d11a7d0e707d140c545cbe61ae5a3352b8ebd7cd7dcce7399493fdfa46e512f4f4d98b59c5f4ad79fa013fd352152e7487b39f525406a447b1ddc67267

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
203ebf56c8490149d7f38c02e426df87

SHA1
a1f35e4ee06d7274ce80b436a655a624158a7492

SHA256
6add4d284950778861d3b96b884cf0814fa1b3945fadfa017ea773652d8c3143

SHA512
a98722f9c3e1e2e7a25e7b6a28c5408180e22d29a21de33b0cff8dbe6a4a59fcbeeb014fab181012d95ac51e8f68f4a462493bae3a8bee24d31e7688c95c48df

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads