flawedammyy | cbfa0f481fd6ba911deb771cc7b9d4ac3596bfc28675061dda70a9239b10d442

General

Target

0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Size

792KB
MD5

69a8ed0b8edc940968f8535c20b4bbe4
SHA1

3557d87e895d994b7099c428b20f9088475194b5
SHA256

0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7
SHA512

2e9f95743410ed2b98a022bd40f3a3bc126312a298cac7ef3dca5ce26126d4cc70c706798cabf11f1389da2605d584755872a0ad6f1ed6f210ed178b846c65da
SSDEEP

24576:uGFJJ/K/F/kpt3X8je6GrHtzRtO7GvmDgezU:uGTJ/o/u8jefyl3A

Score

10^/10

flawedammyy bootkit discovery persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 901cc6743f1e2d361bc9418c40e98bda247db0a2a75d5e385e80331d92d7311927bf2cec4e01ab45d01375a590986c20f1a5436acbcb58c18e2dd26d248c6e7a9eb5d0bb5e245c83b4506d1f	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1476	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1476	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1476	2536	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe	31
PID 2536 wrote to memory of 1476	2536	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe	31
PID 2536 wrote to memory of 1476	2536	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe	31
PID 2536 wrote to memory of 1476	2536	0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe	31

C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
"C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:1464

C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
"C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe
  "C:\Users\Admin\AppData\Local\Temp\0498fcaffbcc80f86c8a6cb1ef655b9713bd96e2d08af2468570d087caa53ff7.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\settings3.bin

Filesize
502B

MD5
f838d1578bc4d82548905dace1b90da5

SHA1
b8af4026c5929865ec38d625a36255c75e9275e3

SHA256
095180d4e0c40b34a0f837f7f053b6a8daaf1f710eda6a38c4ec17598e5df8d3

SHA512
ebd35ccb3167b4ee0dc015f8314c506035d8590722244833d199669264de0429983ff778d85a5b7e797c683d6b87c27f8a5fb710e21b5372df623ed826eaa89b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads