flawedammyy | 42b1ae153366264dc556bcf909ade649caeb796151458e1096a3087b1c956c7e

Analysis

max time kernel
31s
max time network
143s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 09:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy Admin Corporate v3.5.exe
Size

746KB
MD5

2fcbad97d4443200c6d103b7474466f0
SHA1

a94db856006bbf526d57217ff4d4b2f73ee53f7c
SHA256

4ce31888140938c0409b7bd9bd46914232fc2d490181eb8ceb74941056a2b765
SHA512

56c093e09ecab1e9a99b99638591fdd4824ce84e68e7daddc228d1e479a8d51304ed8d72b511cdb4ec74292d0a0bb42ff02761001f0296503aca7c0e66565516
SSDEEP

12288:PUYiJqMH2OwlaUPcWWwTXZV8f64RteVpN5ETMasTjcP6gX:ziJJWOwlaUPcWWwDZb4Rt+N5WMasHoX

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Ammyy Admin Corporate v3.5.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation	Ammyy Admin Corporate v3.5.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

Ammyy Admin Corporate v3.5.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Ammyy Admin Corporate v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595377278419141fb26b	Ammyy Admin Corporate v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bbf5158798f45477d9530eeb722708e7dc605d8348f36aca1aacde0e22945b371ec1dfa7a1d6afba9a9040d6623eaba642c3a75124ee162356548876b8781d0b2ddb611e	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Ammyy Admin Corporate v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy Admin Corporate v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Ammyy Admin Corporate v3.5.exe

pid	Process
2400	Ammyy Admin Corporate v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Ammyy Admin Corporate v3.5.exe

pid	Process
2400	Ammyy Admin Corporate v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Ammyy Admin Corporate v3.5.exe

description	pid	Process	procid_target
PID 2212 wrote to memory of 2400	2212	Ammyy Admin Corporate v3.5.exe	17
PID 2212 wrote to memory of 2400	2212	Ammyy Admin Corporate v3.5.exe	17
PID 2212 wrote to memory of 2400	2212	Ammyy Admin Corporate v3.5.exe	17
PID 2212 wrote to memory of 2400	2212	Ammyy Admin Corporate v3.5.exe	17

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
1⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
1⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
c4364061067ea5a9d191be44d304d233

SHA1
11ee662e02e9cec88acbce425535231685cfe87a

SHA256
b964a55d1270ed858886e8cae9b4e4ebbf75645c5c19e036f683152fd3254a13

SHA512
18dacc37a09d47311182a7c7c7df6ac9b8bfb9b146564a07b1de2149f8bfab7dffe521e02611bac7871b7e45167eab615e373268abeb392da12c9f221775192b

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
7e8e2cf7bc727f1b9c28824fe8a60efe

SHA1
bf968acc15f308b00b418e18efa20c80abf5bc6c

SHA256
558e42e66710aead62c3c71889eea312c208a47d28190435696245dc9a6a99bd

SHA512
e8905dd8ed1521b67e29fab6ec12fb691652669074d0c16541f4284739b8d97b320910a7b1a847c8b4c4f2582f002f4d45b99db9cb04f8826d7aa1f9107554d5

Download Submit
C:\ProgramData\AMMYY\settings3.bin

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit