flawedammyy | 60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e6fbf3a7799ead04694742028458de.exe
Size

701KB
MD5

18e6fbf3a7799ead04694742028458de
SHA1

cc42326f7cd7d68bb4a5f78e6b9807bb1c92d6d5
SHA256

60797554cc5556d0a2e631d34a599a110b620cfdd2438a049ebe355699f510fa
SHA512

48ad9211e79b1e3f35b191a06d1f19f4c32291c598b21f117c8d6f90bd1ca18ab134d35c726405ab63a233c180e708ea23db2a436f052d763457aed476fb2a87
SSDEEP

12288:hqpX2zPf0bvoLsU+FKN0fCskD1RtcnzepMqBCz3gI:cOPMrGL+FKNAe1RtkzepMqBCkI

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	18e6fbf3a7799ead04694742028458de.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552536d20dc627a63b26b	18e6fbf3a7799ead04694742028458de.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 84837a3830a17b89428db04570b4e442152ae3570797f4e87185bdb90bfc9859771f348b2bfa0cefe04680430ccd0d8e29ed1464859645f0e8d2d6b2bb6b2191ac619f55	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	18e6fbf3a7799ead04694742028458de.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	18e6fbf3a7799ead04694742028458de.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

pid process

1500 18e6fbf3a7799ead04694742028458de.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

pid process

1500 18e6fbf3a7799ead04694742028458de.exe

pid	process
1500	18e6fbf3a7799ead04694742028458de.exe

pid	process
1500	18e6fbf3a7799ead04694742028458de.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

18e6fbf3a7799ead04694742028458de.exe

description	pid	process	target process
PID 3264 wrote to memory of 1500	3264	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe
PID 3264 wrote to memory of 1500	3264	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe
PID 3264 wrote to memory of 1500	3264	18e6fbf3a7799ead04694742028458de.exe	18e6fbf3a7799ead04694742028458de.exe

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe"
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
"C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3264
- C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe
  "C:\Users\Admin\AppData\Local\Temp\18e6fbf3a7799ead04694742028458de.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
143ea9af11f4c0c947c221e5241ba8f5

SHA1
abe9803a9b1414fac91818ebad5c769bd24d5dd0

SHA256
2b5555be34beaf8aef2724a79a67ae7382f78efcd97fb8ca0aa9485e2b278d75

SHA512
9340c5f8a5c2a409304c3dba905f2045412bb3dc15d44d73b3e2366946d54617f088a6f9d6c30cba25bcdb4a5dec6585d4afb99f40cff40319c2dbe34299e0ea

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
d543cdfe9d55fd439af8287a77ee6899

SHA1
f8c3240041a8689c3a09edbb413adda9681c2d72

SHA256
514eb4c9e0221b241afc2ebd22ad6eb82e21fc5b46b0fb254b74675bc38cce41

SHA512
90662f0f2741c52c685cfcf4c7dd175843901a7b6b6c3ed533579654846e3564b90f73245194e4c88641c711572a7df45a5d1149473149471dea593f2530945c

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
269B

MD5
097a18ed7b31114c7ef39ef06eff02f0

SHA1
276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

SHA256
985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

SHA512
168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

Download Submit