ammyyadmin | 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0

General

Target

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Size

755KB
MD5

206a9c8f94cc386e8828a667e1b57950
SHA1

3c9731cd31ec8b75962502aaa042bb1f8e51ed2e
SHA256

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0
SHA512

5172219a65f6e8dbbadf9c833e3aebe498c6b2ed3b90f419b051f6ad47f0ab40a4b67681759caa531669cb774f34cfee993a660e65576233f1db01f3b11b4766
SSDEEP

12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score

10^/10

ammyyadmin flawedammyy discovery rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1744-0-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral1/memory/2152-5-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral1/memory/1080-7-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral1/memory/1744-8-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin
behavioral1/memory/2152-13-0x0000000000400000-0x00000000004D3000-memory.dmp	family_ammyyadmin

Ammyyadmin family
ammyyadmin
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Modifies data under HKEY_USERS 7 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253b77202700b72b36b	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c60ac101f372f2142d875b9e0e51d85e50a5fcc63d64eb3091927e5273018fedf5382fb2ce57d1ed67aa0da12573964ee6cb83ec33940c7adca4a0b835708f42cb7f265d509a204f8265a7	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid process

2152 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid process

2152 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid	process
2152	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

pid	process
2152	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

description	pid	process	target process
PID 1080 wrote to memory of 2152	1080	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
PID 1080 wrote to memory of 2152	1080	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
PID 1080 wrote to memory of 2152	1080	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
PID 1080 wrote to memory of 2152	1080	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe	56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe

C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1744

C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
  "C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
d34addee709930558d2fe3e58df57469

SHA1
b47d58ef9752d2a35c871f076f49dc5fe6851b22

SHA256
ee6ecf37491e8219713ced02bc16f99491c509000a570c26cae66feed42561d7

SHA512
3d253d31a959c54f33fb0fbdc091c2285a5398bf14e1347ff2270603d8880080dcde0d882cadb6ca7c5acced13d817d7eb8fbb22fadbefb8196ac9b231fd6df6

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
f8aded0a64a25fc0204b48212a89861e

SHA1
3b3ef3b26afd73e8f1024237c6db552fd7b84682

SHA256
b5bf3c1bac8ad27995474029437d5e7bb0b4f6d518f85c01bc4283900ff85ad2

SHA512
f9ce2b93badc61f348e277e47b7234484d37eee571ed6c72e2b7877f90a8b3e95ee07494e2a674c59e331dd36e25317f362fc193e45cff70144a9b40d3bd6df5

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit
memory/1080-4-0x00000000012F0000-0x00000000013C3000-memory.dmp

Filesize
844KB

Download
memory/1080-7-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1744-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/1744-8-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2152-5-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2152-13-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads