flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 23:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18966a28fba7a616962f90694009a466.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation	18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552532bd9a10be268b26b	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c2da8fc5fcc2c9166331042e917aeeac8b6bab19551b51d4cd11b7bd85277818671584d8cb572c360db3bbe896dded56e5dc03169642f765b6bcb6b045410744a648afcc	18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

pid process

1336 18966a28fba7a616962f90694009a466.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

pid process

1336 18966a28fba7a616962f90694009a466.exe

pid	process
1336	18966a28fba7a616962f90694009a466.exe

pid	process
1336	18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

18966a28fba7a616962f90694009a466.exe

description	pid	process	target process
PID 2280 wrote to memory of 1336	2280	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe
PID 2280 wrote to memory of 1336	2280	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe
PID 2280 wrote to memory of 1336	2280	18966a28fba7a616962f90694009a466.exe	18966a28fba7a616962f90694009a466.exe

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
1⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
74815f2583a01dd553c3069e2c9ca16b

SHA1
efe5917d4beae084419d0af0e2c92c82ac20b13b

SHA256
9af3723ecc9e7a954c973201a0f056029d62b8318f27ed4eaa10966da354603b

SHA512
40d56c7fcd9c1eaf3c228df9b79a83fb6a5a8e066f48a3c3c11e71f496d32b6f8fc08f9c25e36439c93d891b17911d9cba67e52d1d4d81da0533aa0260fa235d

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
93c105c12c965d01a26c9e0cbd3b2727

SHA1
42f714404d61e52eed232f510efa4474bb13961a

SHA256
87da020507295b9fa549be759a57d911ba56385451452cdf62b42f2e8635a836

SHA512
c686ed128171069460890b7f28a4e26ea2f63a62c1e4f6cde054a4e24dbdaa1c67145ef9606f0eb6484e377d47911f3ba14381ea2377edfc374c0d6663161d26

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit