flawedammyy | d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605

General

Target

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Size

762KB
MD5

e9b569f7cbf23d91df065c18f4c43840
SHA1

5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad
SHA256

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
SHA512

a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb
SSDEEP

12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exed67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exed67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb148b3a224e1a9695d92e5261aef73160acf9137dbf1f75892187eaa2ce6fc91a791a2b1b799a33c55161323ef8407e83a51ba90f3dece3e8e5422d313a2fede531db0da95d66845e4718	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid process

2344 d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid process

2344 d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid	process
2344	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

pid	process
2344	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

description	pid	process	target process
PID 2080 wrote to memory of 2344	2080	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 2080 wrote to memory of 2344	2080	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 2080 wrote to memory of 2344	2080	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
PID 2080 wrote to memory of 2344	2080	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe	d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
"C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1852

C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
"C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
  "C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
274B

MD5
bcc40b676c5b0f5a176be92cc8f4199f

SHA1
5415364e6ab90151eb1272268cb75ef6c4306a2f

SHA256
d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826

SHA512
467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads