flawedammyy | 42b1ae153366264dc556bcf909ade649caeb796151458e1096a3087b1c956c7e

Analysis

max time kernel
25s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy Admin Corporate v3.5.exe
Size

746KB
MD5

2fcbad97d4443200c6d103b7474466f0
SHA1

a94db856006bbf526d57217ff4d4b2f73ee53f7c
SHA256

4ce31888140938c0409b7bd9bd46914232fc2d490181eb8ceb74941056a2b765
SHA512

56c093e09ecab1e9a99b99638591fdd4824ce84e68e7daddc228d1e479a8d51304ed8d72b511cdb4ec74292d0a0bb42ff02761001f0296503aca7c0e66565516
SSDEEP

12288:PUYiJqMH2OwlaUPcWWwTXZV8f64RteVpN5ETMasTjcP6gX:ziJJWOwlaUPcWWwDZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation	Ammyy Admin Corporate v3.5.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Ammyy Admin Corporate v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953e7de0ab60366b26b	Ammyy Admin Corporate v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 90984e5323a2a1441a2ad981401e8eda461968b904bdea336851a5c0676b69db486b48381b476d0bb14287a7707c27f1188a3c6bda3267a91b98cc7b8983e06f81d78c2c	Ammyy Admin Corporate v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2012	Ammyy Admin Corporate v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2012	Ammyy Admin Corporate v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2012	3048	Ammyy Admin Corporate v3.5.exe	15
PID 3048 wrote to memory of 2012	3048	Ammyy Admin Corporate v3.5.exe	15
PID 3048 wrote to memory of 2012	3048	Ammyy Admin Corporate v3.5.exe	15
PID 3048 wrote to memory of 2012	3048	Ammyy Admin Corporate v3.5.exe	15

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
1⤵
PID:2692

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
1⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2012

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit