flawedammyy | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
22/02/2025, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ammyy.exe
Size

748KB
MD5

3b4ed97de29af222837095a7c411b8a1
SHA1

ea003f86db4cf74e4348e7e43e4732597e04db96
SHA256

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a
SHA512

2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572
SSDEEP

12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	Ammyy.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	Ammyy.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ammyy.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	Ammyy.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c1752534eeaf3464adab36b	Ammyy.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 667ee9f5aeeb3fa290018e0eae0903b97f2c4b15dd9172a684afa486824b2f42dba86728b39faa4f53bdbabfe9cf7c06beebf2b60d21d69835ce7b69461d44d20201545eaa89e400e27bbb	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	Ammyy.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	Ammyy.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1508	Ammyy.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1508	Ammyy.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 1508	2956	Ammyy.exe	90
PID 2956 wrote to memory of 1508	2956	Ammyy.exe	90
PID 2956 wrote to memory of 1508	2956	Ammyy.exe	90

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1640

C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Local\Temp\Ammyy.exe
  "C:\Users\Admin\AppData\Local\Temp\Ammyy.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
22ab6b3473e4479c76c66743c9fc92a9

SHA1
5c7fb522d1824f649fddac49b06fd9f923865235

SHA256
05da2b22a55ea1db15a1de5893bd1a5bdb0133201c5d29d60641e16df2abf121

SHA512
8e124c5b028cf96fe5da3c673e2d24de3cd887e5abfe73b5550c87bdc4524dbed264ff101227b960df507a1959c89631edd2adbab805d0bf160034f95c84a5d9

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
99f10b93cc43365cc88e526537889894

SHA1
512564f4ae608395a20e36712d70cfa932e2e5e3

SHA256
f17ec630abe0ba1e3ea3625cb34fa91885aae33cf3f6cac8818090b0b8e3a2e3

SHA512
4625ea2f1f2943f78e1ca6ebced794c0ddbe680ea5d4072d688a3b332250fbc528119b2130c4565a6a77bacddbc034f2f80f79681c18c1ba1d66cc7103f949e2

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit