flawedammyy | d8b31596ab62c0d031fb6565c893a401556fe00287c936c3400221e31c171cbe

General

Target

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Size

713KB
MD5

c59be0a84718d97a82cfa59860bdab3a
SHA1

2a0df9bf173e167f90331d4ba4b05720ba6d37e4
SHA256

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54
SHA512

245e9b6d513ca17ba8561e40b3c3a5cccc5b2256358fbf30383a72050f0c817d2272284a92a8b22f75908f86474f6367beb16ebc143c9b96ad64d7e5bff3862b
SSDEEP

12288:dVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vp:vUbj4qwCessA41Rt0CVMVZtxP

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Control Panel\International\Geo\Nation	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059539703c72b317bb26b	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 4d987aae9121fdf42ab05738993014f4b822e1f734eaa944abbb81098eacca0442f5a060c2f7c1a79929996463b343a36db920f1f45f288f21271414419f467f1e6f8c57	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

pid process

2272 924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

pid process

2272 924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

pid	process
2272	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

pid	process
2272	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

description	pid	process	target process
PID 2208 wrote to memory of 2272	2208	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
PID 2208 wrote to memory of 2272	2208	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
PID 2208 wrote to memory of 2272	2208	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
PID 2208 wrote to memory of 2272	2208	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe	924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe

C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
"C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe"
1⤵
PID:1168

C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
"C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe
  "C:\Users\Admin\AppData\Local\Temp\924314d642591e2c6fcfee28a0d69ec1621643c13a5ab1c5cbef973b8b57fb54.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
375a8390212ccb650be4fcb6550a1b6b

SHA1
c9690dc2ec50dd7aea8b14ca88c1c1fd2865c5a7

SHA256
efacb255c29172fccecd0c9bbfd3f0f5a685e2e7e711d000dabac5691b5efbf6

SHA512
63be84af87f63083bf45b9e5a85ce9ae1b6186229cbceedf06cbbf92676ef682c4368a4d57c2869e10b63482b1ddb458b85b549def002f49c8e64c1681d2df73

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
3bfc9a06afc0c547af1f7fded1ae9c91

SHA1
a584b9f0fc51b1dbc46ea99fad33ff0fe82ac82f

SHA256
dde6e563a4d70b47638d741401bf00cb2b0556f04db928273ec120b4f282a8fa

SHA512
fd985f65a755ba2cc9b79e83acfcfbbcb806d79be1d4b80a8448bad2d42d02700a6d594f5f216f45bb5c8f77f9759cef9bf9570a3e9dca344479f5ed532cce01

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads