flawedammyy | fc88110016788b8ee65c2c29c6e9fe77132719c0c4d5e0a9a4e2f97bc5f2c0f2

Analysis

max time kernel
94s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-08-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4d11e1d59d067e850a910d0100fa0f0N.exe
Size

772KB
MD5

f4d11e1d59d067e850a910d0100fa0f0
SHA1

d75243d473ef0aea05d1d49d9fe0679f16ccf218
SHA256

fc88110016788b8ee65c2c29c6e9fe77132719c0c4d5e0a9a4e2f97bc5f2c0f2
SHA512

a688af0d16856ce4e030af714fb61d60fa4f893df97895cd0807e29050d5fb128beb6e7b3a66a83f0405800435c31dfe3023da695ea487c4b82b022ddb2b20fe
SSDEEP

12288:LSX+EvrCA3FNIs34Zk1L1ZSNlm3Spsal6lbRtMuStGKcsCSqcl90VasgWP:kFNN4Zk1LTclm3e1kbRtyGKcpHcl5hWP

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f4d11e1d59d067e850a910d0100fa0f0N.exef4d11e1d59d067e850a910d0100fa0f0N.exef4d11e1d59d067e850a910d0100fa0f0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d11e1d59d067e850a910d0100fa0f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d11e1d59d067e850a910d0100fa0f0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4d11e1d59d067e850a910d0100fa0f0N.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

f4d11e1d59d067e850a910d0100fa0f0N.exe

description	pid	process	target process
PID 2052 wrote to memory of 2224	2052	f4d11e1d59d067e850a910d0100fa0f0N.exe	f4d11e1d59d067e850a910d0100fa0f0N.exe
PID 2052 wrote to memory of 2224	2052	f4d11e1d59d067e850a910d0100fa0f0N.exe	f4d11e1d59d067e850a910d0100fa0f0N.exe
PID 2052 wrote to memory of 2224	2052	f4d11e1d59d067e850a910d0100fa0f0N.exe	f4d11e1d59d067e850a910d0100fa0f0N.exe

C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2872

C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
342B

MD5
1aac7af5fbaf2605446a73cdd2b760f3

SHA1
e6951d61057eaeafb6a45ee4d0f12671da429669

SHA256
ffa108caefd070fd6a4afc9a30eeb754a671df5a2e7b0285fc511a2ce824ba1e

SHA512
f83414633a3032dc6929f0c5dee1cd7c2f5a9c32f5669eaed8788cc7cee5ab25aeb18d366d21f09544beaedcb8ab26690dc6dd2904a42ec15608c79401c77e19

Download Submit