flawedammyy | 85841700199bb0762518be8266169250ed6a0b4e48e6dfb4e47b8da5c78d12c8

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DATA/tv/aa_v3.exe
Size

726KB
MD5

d22d719495f23e38805bbea5df434abb
SHA1

3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf
SHA256

b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20
SHA512

d87670775d222b25b329377c8d26c2a4c88ce6b1aa1d6fc004b95ad93f377fd56fb03e709b4b61b26c4fcf06fe477e42afe9f9715884ea91699548b1e4d4a4c7
SSDEEP

12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	aa_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	aa_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	aa_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	aa_v3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa_v3.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	aa_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	aa_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	aa_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	aa_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253f295d27b065eb36b	aa_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 7f632bd7ff2284b15c7b7cdf8f7e3e5064d6c05a4b84c2d06437709b5aea625db01c449eac4bd6ba611f6dc9dba8d2ca0beef4748941da912f9afb1999e877146f3d87082f48465d58dcb9	aa_v3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	aa_v3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	aa_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	aa_v3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1712	aa_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1712	aa_v3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 1712	4284	aa_v3.exe	84
PID 4284 wrote to memory of 1712	4284	aa_v3.exe	84
PID 4284 wrote to memory of 1712	4284	aa_v3.exe	84

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:424

C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
"C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\DATA\tv\aa_v3.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
c7a35d29edc326686359b243b14c6ea5

SHA1
74f7d0b8abc3f9846f5c0571541b3101082086fc

SHA256
38a05824da3755ce608d5d34011f4abf3ffcee47c24e65a03bb098140dd2d554

SHA512
a3ea2dfe007cd579ffde3cf08c06d086cf6ca6d5555580eeef14467f7b89e31637eb2c4f4e7b08067f0a9e1cb983750661090380b74a20b53e1e6cdd1e1990a3

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
72333e9466ce79ee0a19bb917502144a

SHA1
fb88da5ced9fc17ae18d8485f1187d9b6b26a399

SHA256
5e0d9dcda81d108522e9659b2733eb4a8ef5de388e22774e604964e691ee951b

SHA512
495085d6ebc241f63e6dc9617caa40a7b6986faeee2e50d6e4cc248ef6c36f0fc12a9915e2736036f78ff80422588116d886af0ff558ec088b58930287f96cfe

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
e4f7224ed356915816bebb715326d18a

SHA1
8b441bb4276212b9e774cba75fdbb723cb68af93

SHA256
74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c

SHA512
5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

Download Submit