flawedammyy | bc483e6acdf276b57bb87317962c0091bb1421e61fa3306490b5858eabc61320

General

Target

AA_v31.exe
Size

776KB
MD5

4d4c220362f24e0ba72797572e447795
SHA1

9f902124218892aa5d61594fe7a9d524a7e7cc08
SHA256

bc483e6acdf276b57bb87317962c0091bb1421e61fa3306490b5858eabc61320
SHA512

b4eb3a17efc6626c92446387fc41a1f0c616832a8ea9fe5532fb9869590b8b188c97404de6aba566fd25f126238fe6d45f874659bcc003d2092436142008b9ee
SSDEEP

24576:B3YRddOnSok4fx2j2z5kMNbsRtrxc130jvs:+RenlHx2j2zxlkpj0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

65 2316 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2316 rundll32.exe

flow	pid	process
65	2316	rundll32.exe

Drops file in System32 directory 12 IoCs

Processes:

AA_v31.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v31.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v31.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AA_v31.exeAA_v31.exeAA_v31.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v31.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

AA_v31.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v31.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AA_v31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v31.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = bb368cafc0de77133ddad64846e91d9c1c5413af9dfb40a0baf0a39cc95d3dd18ec7a60d2105c90c86986661bdd75978641107f8d95d895787afcf65771cbef6338f238c267ad5f9ac20c7	AA_v31.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v31.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AA_v31.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe
2316	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeLockMemoryPrivilege 2316 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AA_v31.exe

pid process

4460 AA_v31.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AA_v31.exe

pid process

4460 AA_v31.exe

description	pid	process
Token: SeLockMemoryPrivilege	2316	rundll32.exe

pid	process
4460	AA_v31.exe

pid	process
4460	AA_v31.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

AA_v31.exeAA_v31.exe

description	pid	process	target process
PID 2772 wrote to memory of 4460	2772	AA_v31.exe	AA_v31.exe
PID 2772 wrote to memory of 4460	2772	AA_v31.exe	AA_v31.exe
PID 2772 wrote to memory of 4460	2772	AA_v31.exe	AA_v31.exe
PID 4460 wrote to memory of 2316	4460	AA_v31.exe	rundll32.exe
PID 4460 wrote to memory of 2316	4460	AA_v31.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v31.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2176

C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v31.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\AA_v31.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v31.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
4KB

MD5
80fb0f61659b228ad79b8fa5d4820271

SHA1
267101ee388af0dbfebe799884744749e4c64621

SHA256
e730e2ea1813e92157103a16288cb8b875c627a49ff885fa93f007632cd21d83

SHA512
b2e1486f3d9e550c3389a643c40986a426329f28926a51061879d111aea432f66da5aa6beffcb6564e26212dde5a686a32dfb1478fa9603cfbaa62eb8aebaa96

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
45B

MD5
8e9f5e53ed616f9a6b0e9cd63ddf213b

SHA1
d6a4591cc6ba8e7825cc8e46fc084d59871c72f3

SHA256
bf832bfa5968ca3ffde3343f5f665d031761fad828e72f5e774e0d50cfd52cbc

SHA512
91d834b30719902987ae060e700db0ded85ea6a84c26b57ba81660c7b262771b664f7ef227782f57a9d0fb23f41a832a9a66f4291db197239e34b2d3217a78cc

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
318B

MD5
2b78fbedf64da79335b653dbaff8e0cc

SHA1
88452575315a3124204974bc2b814b675cf8aed9

SHA256
9e5ee2a16ea006220f675a2c3aa215296a1ed6a044dbd6839b20a81f7e915311

SHA512
311bd30acc883e0898fa4c26a5c22e9a9ce0ca1c15d03a97f4b82c04671ec36cc2d8fda7e86aecb3080abda064e9749d5af58ed8926237ba2ee74c7e7170dab3

Download Submit
memory/2316-18-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-39-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-58-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-75-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-92-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-109-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-126-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/2316-142-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads