flawedammyy | b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-02-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ammyy.exe
Size

726KB
MD5

d22d719495f23e38805bbea5df434abb
SHA1

3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf
SHA256

b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20
SHA512

d87670775d222b25b329377c8d26c2a4c88ce6b1aa1d6fc004b95ad93f377fd56fb03e709b4b61b26c4fcf06fe477e42afe9f9715884ea91699548b1e4d4a4c7
SSDEEP

12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ammyy.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\Geo\Nation	ammyy.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

ammyy.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f757cd16f637b26b	ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9810b6584be139e9b6a7a67c0b513d113d1856aaad5ab22052cfe2bb7672c1bd45bd6fff51d9a334eecbd0c81e0afb7b1140873a5ed2c0251e7ffdd10946a127602e3956	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

ammyy.exe

pid	Process
2736	ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

ammyy.exe

pid	Process
2736	ammyy.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

ammyy.exe

description	pid	Process	procid_target
PID 1084 wrote to memory of 2736	1084	ammyy.exe	29
PID 1084 wrote to memory of 2736	1084	ammyy.exe	29
PID 1084 wrote to memory of 2736	1084	ammyy.exe	29
PID 1084 wrote to memory of 2736	1084	ammyy.exe	29

C:\Users\Admin\AppData\Local\Temp\ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\ammyy.exe" -service -lunch
1⤵
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Users\Admin\AppData\Local\Temp\ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
  2⤵
  - Checks computer location settings
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
cf74b47ee1b7165a2cecf927cd66ff82

SHA1
0f6f1deb28e5df7830c87dec0c7d1f5a2a4fe778

SHA256
b5dcc903b011996f7693518b777323023cd804a5e7d9f3699fa9f584ef1f4373

SHA512
d5df6141910caed04fa670a84db72a8237e2057ca3856710b8f0dbba638ffae8ddc644034761abb4e17aeb4169b79cbe9712fdbc286e975285e58a47362d2850

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
24889d4883d4756c2d4e90fb76a52cea

SHA1
254df222ae6a0111ce2b4ccbca74f5e51e3dcea0

SHA256
260c0ede8f6058fe49a3c8413e633fb6fac530dd1b7b0059ee37cad85097f3b6

SHA512
075ae48a4d3acc445fd63c98c8a2df8018dfef73777756568be35d193c2fcdb3cad8a68f7ff38f13ce249183694c839950c02f28ec54bf97a8fa54e2e7879c54

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
e4f7224ed356915816bebb715326d18a

SHA1
8b441bb4276212b9e774cba75fdbb723cb68af93

SHA256
74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c

SHA512
5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

Download Submit