flawedammyy | 2a7646bb36e0dde61f701dc12445d281bd4600dd64de349d25b8b86f62dd32cc

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-11-2024 23:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.exe
Size

774KB
MD5

79910ca3e3418acca4fa2f2e16bac1a3
SHA1

e2619c3d2580aa37c579835fdd3c5efee3f22412
SHA256

7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e
SHA512

0e5ae373f2c1f9c8ba03338c2b5c520c6c1b1fa6ad38bcfa52f926634e1f65fac1cbd50af96c6e4d873424c38a1dd4c985d5fdc5de12a5827c76852340bffb5a
SSDEEP

12288:/Xe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+QgM:ftkmHEgSewkmchJGsORtn9qT8+Yg03FM

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow	pid	Process
51	1316	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid	Process
1316	rundll32.exe

Drops file in System32 directory 12 IoCs

Processes:

AA_v3.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AA_v3.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AA_v3.exeAA_v3.exeAA_v3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe

Modifies data under HKEY_USERS 14 IoCs

Processes:

AA_v3.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AA_v3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 1e9dc1324ca18b66717584b144f65679d920ac9015f1d85018265def1e3d9c20362d21916ddea322cda8eed0cbb6d3b53b66e4549eacc49bf930118f59566bc2483edd60b9df973d3c1c54	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AA_v3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	Process
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe
1316	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description	pid	Process
Token: SeLockMemoryPrivilege	1316	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AA_v3.exe

pid	Process
1740	AA_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

Processes:

AA_v3.exe

pid	Process
1740	AA_v3.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

AA_v3.exeAA_v3.exe

description	pid	Process	procid_target
PID 1924 wrote to memory of 1740	1924	AA_v3.exe	84
PID 1924 wrote to memory of 1740	1924	AA_v3.exe	84
PID 1924 wrote to memory of 1740	1924	AA_v3.exe	84
PID 1740 wrote to memory of 1316	1740	AA_v3.exe	100
PID 1740 wrote to memory of 1316	1740	AA_v3.exe	100

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3532

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
4KB

MD5
2da4924a9de09419b9fb666b22a3607d

SHA1
9d09e763cc05fc9a98abab30a54d45372a1fa981

SHA256
64119f1587d1a0d62ef12923f76a37b59aa8d97c70a2e5e75107d95f6e30aca0

SHA512
763c4038339b40c0bc5533d36c5c23c74a3ac7a4d30c6c7dd021ea22e9ff491c101f30ba1322897a29167c334810a668f05ac9c5fa2e9f09cef0587ef8f702c1

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
45B

MD5
f5d867c23b8cac17baecc8cd2ac118b9

SHA1
ab0da5d10496611ae18f28822c32507aa531dfc4

SHA256
52ebeac5f05e8e12afb680e5e291b41a440cc7dbb812fddd075b6f7586c4fd2b

SHA512
1a067037fb1a8f6782681902e6dc391e399c5caf3e430bdacc30d2cd36985d4eff72359d676e7799dbac3f2f58f697181934a67af18a366cb58a69e6f56e837d

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
280B

MD5
542835956a0ff5490c297efa14b3c1d3

SHA1
433d62823acc56546a2389b814067cc0771ac8dc

SHA256
06d265cab42ce567749866bfbc9378f018101196cbea28cddc1ecd2e0b42fa87

SHA512
34384f243c7c04a761fa24288f65ff5ea6b9115a53ddecaf9707b11b700cdd3113a06eb9c11b7c7f69771352ca81d0a014825b2b515ae88557f6dfef94bb8414

Download Submit
memory/1316-17-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-33-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-44-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-56-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-73-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-88-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-102-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/1316-117-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download