flawedammyy | 847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18966a28fba7a616962f90694009a466.exe
Size

708KB
MD5

18966a28fba7a616962f90694009a466
SHA1

4f7ac1f55f093bf3c7dc0fb6971a6da701793a56
SHA256

847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b
SHA512

3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd
SSDEEP

12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-928733405-3780110381-2966456290-1000\Control Panel\International\Geo\Nation	18966a28fba7a616962f90694009a466.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18966a28fba7a616962f90694009a466.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953575e50a77161b26b	18966a28fba7a616962f90694009a466.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a3880b30f5c2c9166331042e917a7921f03d313e5fc1f372df02e04521feb22d9be97785e332a8edcac6432e8e4698c9933b8d9ea356511b2ed6acabf334384eeb8fecd7	18966a28fba7a616962f90694009a466.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2172	18966a28fba7a616962f90694009a466.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2172	18966a28fba7a616962f90694009a466.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2172	2864	18966a28fba7a616962f90694009a466.exe	29
PID 2864 wrote to memory of 2172	2864	18966a28fba7a616962f90694009a466.exe	29
PID 2864 wrote to memory of 2172	2864	18966a28fba7a616962f90694009a466.exe	29
PID 2864 wrote to memory of 2172	2864	18966a28fba7a616962f90694009a466.exe	29

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
"C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
  "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
81965d4b4ca0739d9b79075036f505e5

SHA1
f8cf76854b1a307566fa734282621440507bff27

SHA256
880dd9f5237d0f41e808c895651e647736edee7ae1b231ca12e5f0073e3b3d81

SHA512
bdab5e8622471e98cb79fa22ef9470224b70dac516126a2f926b54cc386bdfe11b85ebe6e873964f690f2d4ce08c9d620e0a35d413ece436e2e65297b10ab749

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
206f96229cbc195dba2d14fda26a9a6f

SHA1
2c899f88ae462db944f3efc33e5e1e50f3aedeb3

SHA256
a2e165db76e0e76584885729ecfd1413c83753866f975d966a0837a39cf78c29

SHA512
aaa5b749b9d9e957dff0f658e0115f9a97eb439b7557eb50f2e14c24447c96920341949782c57c733dc34b458cbc5f21c3d7d35dde6b04527f59902aafee72a6

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
281B

MD5
0ab37e79601368085b4631f7a9c5597f

SHA1
7144ec339f1a518775a4719f3c1b5b2572775c1f

SHA256
142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

SHA512
7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

Download Submit