flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Analysis

max time kernel
185s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation	18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552537021ffb8d268b26b	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b3c23cc51b421695674ac80a960415f2e42febdc3cd30d2b196fef60b391126eb5750a677864ce8f6fea7a6849bc0a22faa60d43db5d897428269ca67c36f4695445c5dc	18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4516	18966a28fba7a616962f90694009a466.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4516	18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 716 wrote to memory of 4516	716	18966a28fba7a616962f90694009a466.exe	94
PID 716 wrote to memory of 4516	716	18966a28fba7a616962f90694009a466.exe	94
PID 716 wrote to memory of 4516	716	18966a28fba7a616962f90694009a466.exe	94

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
1⤵
PID:3948

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:716
- C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
  "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
ff481a88f7d2b1517ada54ed48103c2a

SHA1
8b0c8efac9b299952b1ea734a2de5a9780b1e932

SHA256
8e208f0b4fa3e33e568cca185f9aa37435beb188400ded747d32a21fc2e29b5c

SHA512
a339f1ac4d6fa6bc6bb9b8198b4a2b6336452be83d2c79edd2d9bbd01717a25b14882f7084e857b08c6229f7ce298c318d3630a5e690226ca4dd1babc3a455ef

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
30a3c0cfccca6d7f3b81811d7bcbdeb8

SHA1
3eb32684624b111eb08e57c4bae0614ec1614f75

SHA256
942a815d457c8fd527c9138f7e80c8844f0711f1d09a645391c208f23efaa2e6

SHA512
494a398283527391339a82485cb6d63bcc17a391fd43b78472a7dfd6fb288c5f716498d0d76541352111f8f852f56dfcc2b91693600835db8f5d5209ead0edce

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit