flawedammyy | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/02/2025, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy.exe
Size

748KB
MD5

3b4ed97de29af222837095a7c411b8a1
SHA1

ea003f86db4cf74e4348e7e43e4732597e04db96
SHA256

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a
SHA512

2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572
SSDEEP

12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Control Panel\International\Geo\Nation	Ammyy.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253a76e1d464adab36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = ca837bc636637828846b1bd1d2e29913af0619c8af55a2fd9c2fccf836ee9b47ab42adbb4eb9c079885632953b6aac2cc42ae9c60a637d49cbcd29ad6ab4e3dc0af1f9d870e219131312a8	Ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1988	Ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1988	Ammyy.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 1988	2420	Ammyy.exe	31
PID 2420 wrote to memory of 1988	2420	Ammyy.exe	31
PID 2420 wrote to memory of 1988	2420	Ammyy.exe	31
PID 2420 wrote to memory of 1988	2420	Ammyy.exe	31

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1940

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
544657f19ce07f5e9764a341b2ffef05

SHA1
5dab63f2a10c7b8b40f7bd9b96e7a143f59422b0

SHA256
7515a84b39e1f254fb39279b2bd68e6ff93cb6e1205390d66f23693dd40dd0bb

SHA512
5739a8529e96ae2580098bf18cceb90a432d2d7052ceb85e18d4864926f79b35aa94b177a09d906f68a4cf53cba6459e78f4591e5f27dac6d0b60c511b0fb63b

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
945beaaa3877b1a077591e10cc6098c7

SHA1
a4a037e87066096df6ad784d7bee3a08fc3e86ee

SHA256
6e4dca2dfc8149faa276873a51d011e3a7c1a9d8cf4d6c0393b89b535489904e

SHA512
1aa60be5bf44e93555683002612cce5a0aed0862fb3b05b965c2f5f64ea3bac907286775404b0d59dc54f2c2727aac5609bc64dae65624cffb48e86e0303cc13

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit