flawedammyy | 2d068d78cdb398b0804690ba569695a08bf87dc8e91faa56194d6b6309aa9f97

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.2.exe
Size

722KB
MD5

45c9b54d66cbcc2de89f93e25f368a45
SHA1

2e5265f35f75a50c89e592e127bc80e1e45aa840
SHA256

349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a
SHA512

25c3f1ec6d2e233464090f584777b15f18acfd1cb12124c236680689545ec8208bc364d26d7202e38368dbec34cd824600afb51845df8c9de8c8e83fba8d8b1f
SSDEEP

12288:x2QKNGp2YPjE0d63iVg5Bfi781Rt1hpGqzdpW9eKVQvTPRpsbS5hEgK:xSIp2Ydd6SVcpz1RtXpGadsbShK

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AA_v3.2.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	AA_v3.2.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AA_v3.2.exeAA_v3.2.exeAA_v3.2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.2.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

AA_v3.2.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.2.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	AA_v3.2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c695f594c16545357e79d949a78b36b	AA_v3.2.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a38dd5eb504d4387d6d527259a08a4ccc9fdd39ec54e62397f9323b7ca805adf4fb92e5c4f78a5d55b305cd11dc50c1779e59c8766e5c36237ae89742a894f9a927b3792	AA_v3.2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AA_v3.2.exe

pid process

1544 AA_v3.2.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AA_v3.2.exe

pid process

1544 AA_v3.2.exe

pid	process
1544	AA_v3.2.exe

pid	process
1544	AA_v3.2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

AA_v3.2.exe

description	pid	process	target process
PID 2396 wrote to memory of 1544	2396	AA_v3.2.exe	AA_v3.2.exe
PID 2396 wrote to memory of 1544	2396	AA_v3.2.exe	AA_v3.2.exe
PID 2396 wrote to memory of 1544	2396	AA_v3.2.exe	AA_v3.2.exe
PID 2396 wrote to memory of 1544	2396	AA_v3.2.exe	AA_v3.2.exe

C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2552

C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
3b0cc7752410d275357315c8b1976c21

SHA1
f94362169acc2ff2c5021fa86efc973452a12006

SHA256
d1a224f8335e50def11d28e8d2300a7294307b4047433a6b7c5cb4750ac6f718

SHA512
269b6315a3500b67ed8ea117cbd4350e91353db715853f11f26bf8050dd6482fa314f76fe4265996b6bde1466575f875e3a667c560ced657142ae67ce4dd38c9

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
b07a2e2b969c2598f4602d5d3e5ac444

SHA1
a669877546d7d2dbdf5fdb82b1645d4e3c21f8e1

SHA256
d271f1b2d6f4bef0d134edfeebb1a2ff1a701c323df7c66023531ccd3fc99df7

SHA512
e14a0b30056a499e6b289481b7f9dba620ad4d89375e9ab26213293a1758d1493f63529692223420586378007755be742315f8dc83313f6064d3883e64d6896a

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
270B

MD5
6910d9160b66c4395f587a279e80f132

SHA1
54949c04c8c0970aa5e2d3fb2912318daab97b98

SHA256
72d44ac6019d486fc1a58334ff8ed692de0a9ed96de3142638c71376ceade87c

SHA512
82967a8bdbad58f2a81d063c84294153dbdd86322d4b6e3631122530dc7f00fd209ed1d2b0683eb60f726fd3d6f93c7615bd1d0d1fa1f5441119d0e5007582b9

Download Submit