flawedammyy | 7b800d430002dc67514cf719db65691e95e1a42ab82efb4633ea2be93a0c3cc7

General

Target

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Size

726KB
MD5

190785b2bb664324334c1b5231b5c4b0
SHA1

07539abb2623fe24b9a05e240f675fa2d15268cb
SHA256

4731517b198414342891553881913565819509086b8154214462788c740b34c9
SHA512

ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c
SSDEEP

12288:8YdNctvsfu2LVBfKf057C9lRt3i5olGJsxhzagH:HdNikfu2hBfK8ilRty5olGJsxNH

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

Processes:

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

Modifies data under HKEY_USERS 9 IoCs

Processes:

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ac13f82a257bb26b	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b681a4d2cbd09ebfa20aea6b899c2416402927ed79491d67b694f14440a439d7cd74164206bec0d224f8e5340211dcefdd24f6565b1a5645c9f59b377f525c8594080707	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

pid process

1608 4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

pid process

1608 4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

pid	process
1608	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

pid	process
1608	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

description	pid	process	target process
PID 1620 wrote to memory of 1608	1620	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
PID 1620 wrote to memory of 1608	1620	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
PID 1620 wrote to memory of 1608	1620	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe	4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
1⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
0b2120b7698920ed6589cf26cf1e2b86

SHA1
a90ae37993adf7e350550eb9016f5ac32934a50c

SHA256
ec4ace26b69cd181627363077491c2fb3da4ded91182869927d0ba36f47a6f6f

SHA512
95d2ec4476a8fbdc614aad7bd24de248f956b8ea3b88229fdbeafe398d50ebbba0a3df2e2c95a590ef6dc0189b2b70fa89ba75d164dee114a66a3c1068c3dbbd

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
f0074908c2152dabb33e0b343c794f3c

SHA1
b559b800e90ac03c5619943d05da11c1840e6b07

SHA256
6df286c14619dde1c6dc00e088b93d45117eba39074d62aafacdd17a05ab4c1b

SHA512
8c8ca915137d1ee03b54ca9ad0e9c7ba6bffaaff3663c476169a84fda7db63d3f5f2e34fc278792d600635f3457cbb734f5cfd2c8a4830817a92d9b2525ea8c0

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads