flawedammyy | 480db250da8cbb3234c64ce8d30e119addb3f2e515332a1da113d9e7b12142fd

Analysis

max time kernel
158s
max time network
182s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
01-12-2023 15:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Size

762KB
MD5

e9b569f7cbf23d91df065c18f4c43840
SHA1

5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad
SHA256

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
SHA512

a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb
SSDEEP

12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 146bf89741ddcbc532b05738993014f4b822e1f734eaa944abbb81098eacca0442f5a060c2f7c1a79929996463b343a36db920f1f45f288f21271414419ff73c25243d24	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid process

2928 d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid process

2928 d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid	process
2928	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid	process
2928	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	pid	process	target process
PID 1016 wrote to memory of 2928	1016	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 1016 wrote to memory of 2928	1016	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 1016 wrote to memory of 2928	1016	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 1016 wrote to memory of 2928	1016	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
"C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
"C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
  "C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
274B

MD5
bcc40b676c5b0f5a176be92cc8f4199f

SHA1
5415364e6ab90151eb1272268cb75ef6c4306a2f

SHA256
d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826

SHA512
467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d

Download Submit