flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24-12-2023 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18966a28fba7a616962f90694009a466.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953c79e850fe268b26b	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 0708e9edba844bcfdb446a39a122f52cba8169043a817ac60a3bd4b1f7a685f0f4cbb80f885231b268503a37150313c30b66dcb47971cbc783fd9954774ee28ce779cf68	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

pid process

2156 18966a28fba7a616962f90694009a466.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

pid process

2156 18966a28fba7a616962f90694009a466.exe

pid	process
2156	18966a28fba7a616962f90694009a466.exe

pid	process
2156	18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

description	pid	process	target process
PID 2144 wrote to memory of 2156	2144	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe
PID 2144 wrote to memory of 2156	2144	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe
PID 2144 wrote to memory of 2156	2144	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe
PID 2144 wrote to memory of 2156	2144	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
1⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
a1bbe8de5b26474bae5b00bc35ebfead

SHA1
e7ded2486fbfbc7825b25b7f1e3f6fc5f5d7525b

SHA256
aa5580d4fad6ccc7902f4ed6f71f41468f11d9c798de6ba4f31796cc23646f72

SHA512
ab71c8216cd7f410a91e1c76a5e91640f658639f13deb703099804f8aaa661c40dd22be3cb413a533d9934d405590cf6dd3ff127fb85e6f10cc4e06aead5c21c

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
383fd9d7b9f1cd08006889911228040b

SHA1
dc2bbded0248d8965316d8141cac3495c2d84268

SHA256
1d614a88e7df62cb9b37c0c359a372fecbae500f1296f5af4fb80f5730635d0d

SHA512
dda4f53226eb34a8c0a6184983aec18df333e26c99235807d3762a047755312d0d5cff23cae3471940c4975641df0adc3bf37e8351295a3bc3c251c3efc77ab5

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit