flawedammyy | 8b381baebf88af5144c87426fcc206d4d292f7aa801baa80c0304d15ab07a3c9

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
11/02/2025, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AA_v3.exe
Size

798KB
MD5

90aadf2247149996ae443e2c82af3730
SHA1

050b7eba825412b24e3f02d76d7da5ae97e10502
SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
SHA512

eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
SSDEEP

24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score

10^/10

flawedammyy bootkit discovery persistence trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Blocklisted process makes network request 1 IoCs

flow	pid	Process
58	4348	rundll32.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
31	1944	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000\Control Panel\International\Geo\Nation	AA_v3.exe

Loads dropped DLL 1 IoCs

pid	Process
4348	rundll32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AA_v3.exe
File opened for modification	\??\PhysicalDrive0	AA_v3.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CCEC92414B6E1024FB3D94B5519ECEC5	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	AA_v3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CCEC92414B6E1024FB3D94B5519ECEC5	AA_v3.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AA_v3.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2136	MicrosoftEdgeUpdate.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 7b943dafe9458ff9a89ddd17d6ed25c5cffe176aa28c71a87cdc5942c832e8deaa2749cbcb8516760e20a588ebc9beebccdf06af44837cd8434d44a3c884f6ff7afc05da383788bea28411	AA_v3.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AA_v3.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AA_v3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe
4348	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4348	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4948	AA_v3.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
4948	AA_v3.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 4948	2372	AA_v3.exe	87
PID 2372 wrote to memory of 4948	2372	AA_v3.exe	87
PID 2372 wrote to memory of 4948	2372	AA_v3.exe	87
PID 4948 wrote to memory of 4348	4948	AA_v3.exe	100
PID 4948 wrote to memory of 4348	4948	AA_v3.exe	100

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4196

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
  "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\SYSTEM32\rundll32.exe
    rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4348

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjQwMzRGQTUtRTU2NC00Qzg3LUI4RkEtMTg3NEMyMkM4QzkxfSIgdXNlcmlkPSJ7OTMzREFCOTEtMENCMi00M0M1LUI5QjctRUMxNDdDRDlEOTFGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODRGRDgzMkEtMUZGQy00OTMyLTk2NTAtNThEMEIyNzc3NTZEfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NzYyMDA1ODkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\aa_nts.dll

Filesize
902KB

MD5
480a66902e6e7cdafaa6711e8697ff8c

SHA1
6ac730962e7c1dba9e2ecc5733a506544f3c8d11

SHA256
7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

SHA512
7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

Download Submit
C:\ProgramData\AMMYY\aa_nts.log

Filesize
4KB

MD5
093a85a04d393378455c39f3bf80ea36

SHA1
5c892c2da7882c482a2a72a21c5caefc1ea7c488

SHA256
b1a8284743b1721c17ea2f4cee0cdddfd9477fecc2fd5d4cab06fe129c263ffe

SHA512
1f074af5bc1e71c25c6c7633d85a97e188bfb65e32133f263597bd8925a4171f875a566101030718dd96907d31c38967c7273fa92d7525db73e12b2ab861cf1f

Download Submit
C:\ProgramData\AMMYY\aa_nts.msg

Filesize
46B

MD5
76038623e270f399769df67a3ed15c16

SHA1
ebf7d7537f45738be48e6f64d59c846b13fb4334

SHA256
4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

SHA512
a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
334B

MD5
d29eba8fab04b6c3c698ba81773e82e9

SHA1
a1e58ef697b043a73b0df50a6e5652d427c2b6b1

SHA256
4eb939d4ed4a4a9adb07da535cfd17676d82d41f5c80f8c6105652d8394ac993

SHA512
5bbf90187e2e2a4acc7966c15addcadaa42d0d8f6cf0fd0996cb2bbd53c381b45ba18546c6e29c671833dd3cb65230e4b1ff5746e9163e8980eb5ffb6c4ee678

Download Submit
memory/4348-20-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-43-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-61-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-78-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-90-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-105-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download
memory/4348-122-0x0000000064200000-0x00000000642EE000-memory.dmp

Filesize
952KB

Download