flawedammyy | 60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

Analysis

max time kernel
108s
max time network
140s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e6fbf3a7799ead04694742028458de.exe
Size

701KB
MD5

18e6fbf3a7799ead04694742028458de
SHA1

cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5
SHA256

60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa
SHA512

48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87
SSDEEP

12288:hqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCz3gI:cOPMrGL+FKNAe1RtkzepMqBCkI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Control Panel\International\Geo\Nation	18e6fbf3a7799ead04694742028458de.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	18e6fbf3a7799ead04694742028458de.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595327a4f9707a63b26b	18e6fbf3a7799ead04694742028458de.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 337a7fdde1f2a8842e77fdf497b989e0caed163d8593e5b953ab167d8442353b5ee870749df6477d14fead6b6ac1b3cadc00aca6fdcab918d6ad28de649ad488a3eec847	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18e6fbf3a7799ead04694742028458de.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

pid process

2520 18e6fbf3a7799ead04694742028458de.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

pid process

2520 18e6fbf3a7799ead04694742028458de.exe

pid	process
2520	18e6fbf3a7799ead04694742028458de.exe

pid	process
2520	18e6fbf3a7799ead04694742028458de.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	pid	process	target process
PID 2160 wrote to memory of 2520	2160	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe
PID 2160 wrote to memory of 2520	2160	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe
PID 2160 wrote to memory of 2520	2160	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe
PID 2160 wrote to memory of 2520	2160	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe"
1⤵
PID:2180

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
199db8e464b3557a53d94727852e9f5c

SHA1
91c12dfd2ac94b0fb5149713ca58d7ae82d6280e

SHA256
352727f7f122d5d950fc3791fbabab35f7da0a9c232bc7a94bb2a7d4db4e1169

SHA512
0edf38f714d578367239526e56957c9717b9249516432575cc5e459b11027e58506a33dbc83a801950a2ad256f62f98ee500e80ee71dccf504176adae09e722b

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
56d59ceac005fc4b6d72659ca2c88ee6

SHA1
f005e89602ec7aa8dde1acdede391c5458716089

SHA256
4bb1c408a74580f00b75bd5b0076f446003ae6c5a02354707c11a9c2332ad4a0

SHA512
7179c6af1762ae39a1499bf6deb1bcd0d00767ab24e483f2fa24d0d394ddfe1a82bc62b85065b0a5760c6797ec1d114336844b1e2a93ee75392ede2f37ddff34

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit