flawedammyy | 91e4c3aa21da30e0daaf5c918f8e4c9a66ce5aa70bbb8baaf7b9e4ba5faeccaa

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.5.exe
Size

751KB
MD5

1fc7c230d6db0d7a0da6f415da271159
SHA1

e0bd10d83bc7b3f1eb628974a8f690ffda6e9351
SHA256

7a836e718b70f586695d1bced9eacfb1aa1b67387b051d0536669754b391fe81
SHA512

96d64cba5bf650066e54bcb84f13aabd1992811963ae2dd3530431e86bbc3230d673545953d35767fbf85f61d86b44170d61200d1ffb4f4945268bfc3a7b1403
SSDEEP

12288:Tc1dZibTD9uOroAgeHvCUt4RtlTc+YNKpQsNvVd1gF:Tcc/DwOrZgeHv54Rt6+YNkQsNmF

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\International\Geo\Nation	AA_v3.5.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.5.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c17525377fc5879a802b36b	AA_v3.5.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = bbf696be538b264ede458ac41176c1cedd59a6990608cac3a44719c92c44c43391a5ec9c262fb5a4003e361c497a3b66a7759327a168cc8b2d5620f115e49eecf2eb6ceb935a3e498ba4d1	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.5.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	AA_v3.5.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2720	AA_v3.5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2720	2712	AA_v3.5.exe	31
PID 2712 wrote to memory of 2720	2712	AA_v3.5.exe	31
PID 2712 wrote to memory of 2720	2712	AA_v3.5.exe	31
PID 2712 wrote to memory of 2720	2712	AA_v3.5.exe	31

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2256

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
57607a487e36fdb626ff1f99dd100b9f

SHA1
55f16e08ee3fd08a347ef259493f59f9cef40b87

SHA256
1b5a4a7f539c13e34137c58bb4dd380717d5708958e6d121aa01fc95dd90128e

SHA512
466e23a0934f32255f96aec0ac2eda00accdd784f667f3cf500322fc6a1797d8ae34860b14bdcf2682136e7df37f8f3b8e6875529c4ca8a5f8cbeb5e003e1620

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
a51880f62a8fecaabca39ed33edb9554

SHA1
dd513d6f2740a90f372ee61b92e609b0cc852953

SHA256
deb009d714cc051eb3c715e31708fed4af093c7ed8e69ce6c66842432278bbde

SHA512
19f321311039474d8c9e79363557951ca2ab1d98609835dfbe5f7f37e964cc2fe0e53ab5caf6e015c4059db43673a672e8e36de7e0a6ab00aab907de932d477b

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
714f2508d4227f74b6adacfef73815d8

SHA1
a35c8a796e4453c0c09d011284b806d25bdad04c

SHA256
a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

SHA512
1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

Download Submit