flawedammyy | ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10-02-2024 04:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

798KB
MD5

90aadf2247149996ae443e2c82af3730
SHA1

050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512

eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
SSDEEP

24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score

10^/10

flawedammyy bootkit persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

file.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	file.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

file.exe

pid	Process
2372	file.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

file.exe

description	pid	Process	procid_target
PID 2224 wrote to memory of 2372	2224	file.exe	29
PID 2224 wrote to memory of 2372	2224	file.exe	29
PID 2224 wrote to memory of 2372	2224	file.exe	29
PID 2224 wrote to memory of 2372	2224	file.exe	29

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:2056

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
327B

MD5
6b551c2bf1f8b0d2f7877568596b2541

SHA1
d75bf70a7f9b9eb8cab9e4652f6323ee46150087

SHA256
d77b2b9d5a87cc8368235eed9904db8cbfb3e0223d2caea628b8480665363c56

SHA512
b1ac4918cdbeb55912c974c31df16def1380432d5f451e4069f49c7c1405b439ca2ab52f4d9f877a88fa450cc6d612c49012d2555218f605c5b744f434277d4f

Download Submit