flawedammyy | 74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a

General

Target

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Size

748KB
MD5

3b4ed97de29af222837095a7c411b8a1
SHA1

ea003f86db4cf74e4348e7e43e4732597e04db96
SHA256

74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a
SHA512

2e1d1365163b08310e5112063be8ebd0ec1aa8c20a0872eef021978d6eb04a7b3d50af0a6472c246443585e665df2daa1e1a44a166780a8bf01de098a016e572
SSDEEP

12288:3VFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVVUg0:XUEUUw9RaTNicBrPFRtJ1iVTsCZ0

Score

10^/10

flawedammyy discovery trojan

Malware Config

Signatures

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy
Flawedammyy family
flawedammyy

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Control Panel\International\Geo\Nation	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe

Modifies data under HKEY_USERS 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253b776c3c7d2dab36b	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6065181143e3e9165e39140b08f328e6f6d5a115d59a5e2044a9916030ea7882ffa80bc29c4926b3d3cce6bb9d1791645c0aa5c4d09c79bb1be4dd804f7a04e5b0f51a5990a8992cf65ed	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1680	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1680	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 1680	2392	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe	31
PID 2392 wrote to memory of 1680	2392	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe	31
PID 2392 wrote to memory of 1680	2392	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe	31
PID 2392 wrote to memory of 1680	2392	74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe	31

C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
"C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1740

C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
"C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe" -service -lunch
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe
  "C:\Users\Admin\AppData\Local\Temp\74656a65e96590a2734384bf89cb9ff677dcedff5f6e937d350b9f46ec52cd0a.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
c3a6cf1714a8354972715cd076190cb2

SHA1
1925610b302eb46c25d1c93859bc1708cc737e94

SHA256
af29e2d02446108cdc4950d1999f65d5a8619461f2899907744046c294dbbde4

SHA512
690627e30f7e188e9616dc33275326ec62fbb91cc0ad4c005e382e9f1739ad025d31384b1d7595fd5c3d41ee9178c4bb5b087f990b0b0886d60b59f798ffbffc

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
75B

MD5
a6e6e3c6ab812a1af0f4d6367ea2ee47

SHA1
a202b10f17c6e9d22ec70eaaaba48bda7d3caf67

SHA256
140adefdce7642c6e48a79582f087e9c0f1b9f78a5b67d5de704e14d806c1a68

SHA512
7b75ffbec69b48c484fd072d45bb8e3335cae36816f7d635e78fed39cf2a5f3550534ac4280b981c0bc72f2068da81b629e724a1075da7d4f8d4ccdcc0f2553d

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
307B

MD5
f795d65e68db37483dc74e692495e0b5

SHA1
e021c93cc3604b1b8fe1b0fe9de76bc68fa529ae

SHA256
812d72aab775a459c3a30e847c5a6dec7eb6772e81ea65e09e4ca08b89e08787

SHA512
4573e027414e4c25b4e7419bdad607f93c642f4acec6a66db05bc54fcc6593dba9c34059ab6d5b1bec71b4a3fe5b369513656302776a6f3b2691c3ef61ab3e68

Download Submit

Analysis

Sharing