flawedammyy | 1bac901d570725c59941c9164ca32fde855608e99f6d1819bc40bcd7ae9183cc

General

Target

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Size

746KB
MD5

f8cd52b70a11a1fb3f29c6f89ff971ec
SHA1

6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
SHA512

987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
SSDEEP

12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953977284813e7bb26b	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4d8753afb210d883acc3aebafd730c08c40f8beb5920abf001ec0e18a4a1744ddd5478da770961e07406d640bb571d06ed577744a0a22f0a675af9d7eaee69dc6cd91075	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

pid process

2808 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

pid process

2808 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

pid	process
2808	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

pid	process
2808	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

description	pid	process	target process
PID 2716 wrote to memory of 2808	2716	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
PID 2716 wrote to memory of 2808	2716	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
PID 2716 wrote to memory of 2808	2716	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
PID 2716 wrote to memory of 2808	2716	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe	6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
1⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
  "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
2cbb8be561d9c16a3ed0c912d65f2a1a

SHA1
6e42d690cedf002197263a9ca32064d97eb9127b

SHA256
d1f696145c72a0ba3d12302210e73215df6f77918e06e7b8d85675301648c190

SHA512
488b6f006253c0c246979c72bfce0b00fb6a622dfeaf4aa3ec43c0ceefaa4119558953f473109153324f7f2994239ecbd85298dcf810d47db8e5029a69f69eea

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
c406ccab2cb70d086e24454b7a5fb83c

SHA1
db1acc08b9767518bbf7de2ab3ab4750be094097

SHA256
801724a6639045a4cf12a2cca17db4008284a5b9d45963c38cf307c4babbd69d

SHA512
c7f29f1ab313bab9b4b617cfea5d15c1be5651ae5ad718b91cc4cab58727fb8b950c0a1d7748287b6ee81f7bcf6b5b4406e5ff278d9eef8c8a9f6a32222b3ca2

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads