flawedammyy | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy.exe
Size

748KB
MD5

3b4ed97de29af222837095a7c411b8a1
SHA1

ea003f86db4cf74e4348e7e43e4732597e04db96
SHA256

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a
SHA512

2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572
SSDEEP

12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Ammyy.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253dd12f584e674b36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = ec055d63620b88921cc6d109315a218f2632657ace360027a179d18824ed1df67250b97ce75d654abb4b46ca55d945c0931debff7e30955132993778c9fe61974c45f62dbe1369283635fb	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4012	Ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4012	Ammyy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 4012	4640	Ammyy.exe	87
PID 4640 wrote to memory of 4012	4640	Ammyy.exe	87
PID 4640 wrote to memory of 4012	4640	Ammyy.exe	87

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:832

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
7ef116c734602ee471aeb0a2cd32b929

SHA1
b4140cb74f4813a7be6b7d7c3f6f22551846033b

SHA256
f28b4aa8f43ef9fb1552d7ef86164a59c3bb60168c3091dc90d96e3720e81d2b

SHA512
c5cceb852d17f1ec908cfc5c341fb2a56ca5b9121cc1c7d1ef78ffc0969e6f2f5a9ab01af1935fd10fc78294b7bd151b50505c103c6ca700567b12d97d01df0f

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
650c3d2535689882537df00c39395090

SHA1
c90bba351ad42ca5f270a3d43d4439ca7851a38b

SHA256
305bfb615be5135d5079ebd756739c9e4507033fa70f30108f45cba369ffb629

SHA512
7a8a0fc0d113707f41e0e3f62eccc0a605c634888f95a0be0f21e1325573246e50930dcafd0debb40fc22460000812034668632e9b76f8ab9e32aceba6874df6

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit