flawedammyy | 3e9debda74d9cfcc7f4a610405f77081bfda97a0c433c2813d2e21bd76a4ac86

General

Target

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Size

751KB
MD5

4d853025b8cd8c725bf78e3df6cce967
SHA1

c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
SHA256

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
SHA512

977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
SSDEEP

12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Control Panel\International\Geo\Nation	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595317f6c36dc064b26b	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 4f15cae673578e0e0ee068856c953809662b4bde662f321e9ffcbf58fa13175c3a8a7fe07650d150d35f1812f51db6dae4f786b0c118a23236d707e7bd0482e71de747d9	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

pid process

2752 4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

pid process

2752 4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

pid	process
2752	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

pid	process
2752	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

description	pid	process	target process
PID 3040 wrote to memory of 2752	3040	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
PID 3040 wrote to memory of 2752	3040	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
PID 3040 wrote to memory of 2752	3040	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
PID 3040 wrote to memory of 2752	3040	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe	4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
1⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
cd98df7a847f3c0581989b38de204ef5

SHA1
d4971f2303795f61323f4c24b9839234de2a45ac

SHA256
cdc2f156f9de4b325cfec6dbaad7a2d23078c7be1bea5d45880ba6a8e794f4dc

SHA512
7cf67edf3a233714b75fff91033eb5688ed6e817ce4846c659df0dd5ccf1e9374238f402dd8b73a3406fe2383e73e471acd538b8dad243803d476a58a0b6866e

Download Submit
C:\ProgramData\AMMYY\hr3

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads