flawedammyy | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-10-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy.exe
Size

748KB
MD5

3b4ed97de29af222837095a7c411b8a1
SHA1

ea003f86db4cf74e4348e7e43e4732597e04db96
SHA256

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a
SHA512

2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572
SSDEEP

12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Control Panel\International\Geo\Nation	Ammyy.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253c7f6b721e774b36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 07fae5669b6c715109dad64846e91d9c1c5413af9dfb40a0baf0a39cc95d3dd18ec7a60d2105c90c86986661bdd75978641107f8f157c6295edb7fed81e746a71004a61ac84aef302f7de6	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2316	Ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2316	Ammyy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2316	2272	Ammyy.exe	31
PID 2272 wrote to memory of 2316	2272	Ammyy.exe	31
PID 2272 wrote to memory of 2316	2272	Ammyy.exe	31
PID 2272 wrote to memory of 2316	2272	Ammyy.exe	31

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2516

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
41e3dc19e5771c93f359bebfcb5ecaa3

SHA1
d4f9ff60d7d1628cfc6462a7c064c6c0ae6fea9f

SHA256
42e05e89949ee50fe963c54b57cb84b4b421805ebe1bcae44e7e802d6ce2b79f

SHA512
6ce984d5ae0f53ee27832ce14caa295f56770e9f0e807f1fbc585963cca209a980c929098a3f59a78f677971f2cec30a49bad7555bf2b3aa758e8bb4f88c2590

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
b0d5434c9cfe5177d1c10ec3e64728bc

SHA1
ed1d4391a584083b97cffc33342f5ba001b6a36c

SHA256
87386d7d3d05c27b3357e5a93fbc53a59327a97f2e95ab187efed2119e203f50

SHA512
ef0c8851a3bb8587c3f6cc688bd6a1a94b946cf55bc09a577c2e2adcf802770afa0e36d563c1afedfccde388231404f5f209c5ff99f61d2cce36551b18948eaf

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit