flawedammyy | d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa.exe
Size

762KB
MD5

e9b569f7cbf23d91df065c18f4c43840
SHA1

5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad
SHA256

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
SHA512

a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb
SSDEEP

12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	aa.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aa.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	aa.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6324cc1a3d84dcc557f346efbb189da7741ca5d271affd9ea9c013a581f09ce0344e59d6f06abaa4de5f11f6a0ab52bfaab79336886f0753999e498febf6f780bd90f57cdbe8e7db66d6e	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	aa.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	aa.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2412	aa.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2412	aa.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2412	3060	aa.exe	31
PID 3060 wrote to memory of 2412	3060	aa.exe	31
PID 3060 wrote to memory of 2412	3060	aa.exe	31
PID 3060 wrote to memory of 2412	3060	aa.exe	31

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2640

C:\Users\Admin\AppData\Local\Temp\aa.exe
"C:\Users\Admin\AppData\Local\Temp\aa.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\aa.exe
  "C:\Users\Admin\AppData\Local\Temp\aa.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
274B

MD5
bcc40b676c5b0f5a176be92cc8f4199f

SHA1
5415364e6ab90151eb1272268cb75ef6c4306a2f

SHA256
d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826

SHA512
467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d

Download Submit