flawedammyy | b34545c6faf06eab1ca4db9d5378a0ca775d4d45e5b2fb6ee88e07180d240c70

Analysis

max time kernel
17s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AmmyyAdmin_v3.exe
Size

701KB
MD5

61e9063d98bd8ceb0eb78332996e1fe5
SHA1

95c0575928ed459928d70ab4d82199a092cf7d90
SHA256

5cf1cc749208121e38b2984edca4583997ba72e8225ef94512debf9794c9192a
SHA512

238d302f03b83906184b5d1cd6afaa8b2429f8d16a18ac759fe65eb0aa86de29a8b59f5fea53fa61803519837c6715b8d283877f27a1e34a4c4a2d8425e3c8cd
SSDEEP

12288:lA4uNgU63ohsfC0acs34Br2z1Rt9adJ75+z8BNzbgc:bFUCMs9a5II1RtwdJt28BNAc

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	AmmyyAdmin_v3.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AmmyyAdmin_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AmmyyAdmin_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AmmyyAdmin_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AmmyyAdmin_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253d39e600d6b69b26b	AmmyyAdmin_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 95134326047501267ce156cb224673bf8d0419c8af55a2fd9c2fccf836ee9b47ab42adbb9a564acfdddc17b061532586a1295e2d291b680e0752736c0b5b79de4bf1643f	AmmyyAdmin_v3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
452	AmmyyAdmin_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
452	AmmyyAdmin_v3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 452	348	AmmyyAdmin_v3.exe	21
PID 348 wrote to memory of 452	348	AmmyyAdmin_v3.exe	21
PID 348 wrote to memory of 452	348	AmmyyAdmin_v3.exe	21

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AmmyyAdmin_v3.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
4ef1b181641e1cc03ad6066c08f87387

SHA1
81ec33e66223bde297bf3f092fe5ec5d96f6b69b

SHA256
35ca50a2d46f0229caf5d11ea6dae8bea80131f5cf0b4057271c23c06bf26bed

SHA512
eca848a737d1a007e39e9cf5af11cb5c6200c15c24286980201c43b274aa0f15bc6ce03b780aaa5a87a77e3bbe8283c779d3648a7a47e1e7dd41f38f5d9f42f0

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
07b07bdd9dc68cb2bd6a98238c80d041

SHA1
a58a8d71c55898f3f1dac7a121f953d4eb0b4445

SHA256
cbb9d0b5f9cbe7ba23946dec1287622bcc241d2cdfb2e677fd926c5446041779

SHA512
ce1281414551b659bcf2bdb5f23261d3bfb01a00d1e6e9d4a358dd0157dcd5e7c8b489a735a129fd79f4a0c5deb52a25e003b304f9f7e450a3349957b058f77c

Download Submit