Analysis
-
max time kernel
60s -
max time network
58s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
21-11-2020 16:03
Static task
static1
Behavioral task
behavioral1
Sample
AA_v3.5_Corporate.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
AA_v3.5_Corporate.bin.exe
Resource
win10v20201028
General
-
Target
AA_v3.5_Corporate.bin.exe
-
Size
751KB
-
MD5
4d853025b8cd8c725bf78e3df6cce967
-
SHA1
c6bff7857fdf33cbd8f052ef5d669675e5cf06f8
-
SHA256
4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8
-
SHA512
977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Drops file in System32 directory 5 IoCs
Processes:
AA_v3.5_Corporate.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat AA_v3.5_Corporate.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AA_v3.5_Corporate.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AA_v3.5_Corporate.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AA_v3.5_Corporate.bin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 AA_v3.5_Corporate.bin.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
AA_v3.5_Corporate.bin.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy AA_v3.5_Corporate.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix AA_v3.5_Corporate.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AA_v3.5_Corporate.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AA_v3.5_Corporate.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.5_Corporate.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.5_Corporate.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin AA_v3.5_Corporate.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366097d6c5e5c48155253416558f4609fbe6b AA_v3.5_Corporate.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b1848591b070d98126a0377f7627bd707e319f65b23ab07913b448ece9f7e98f050fbbd53849d68ee4b00dcf98b41a16c3b7112056e59cab735b17cc43b9bd78 AA_v3.5_Corporate.bin.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AA_v3.5_Corporate.bin.exepid process 584 AA_v3.5_Corporate.bin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AA_v3.5_Corporate.bin.exepid process 584 AA_v3.5_Corporate.bin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AA_v3.5_Corporate.bin.exedescription pid process target process PID 3204 wrote to memory of 584 3204 AA_v3.5_Corporate.bin.exe AA_v3.5_Corporate.bin.exe PID 3204 wrote to memory of 584 3204 AA_v3.5_Corporate.bin.exe AA_v3.5_Corporate.bin.exe PID 3204 wrote to memory of 584 3204 AA_v3.5_Corporate.bin.exe AA_v3.5_Corporate.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AMMYY\hrMD5
ca904b9a6a2896172ac279bab9d97e1e
SHA12e1e660fc0dbfb225a0f9c0c552639317e13055a
SHA25605fa3419e8642ddf5ebd6471780e1a1b22c5106cc8a1dbe6d64241bd57a44d77
SHA51228b5dee710499ca4f1779676c48c1243e5f69161462b0f5553238ff404e3e498ebbe51cb63e6d8d621ca5da9fae3bf1b431e3ab8c62a54e401b00e9bcadc3f80
-
C:\ProgramData\AMMYY\hr3MD5
d53c811e188cebb62764773b31e83c01
SHA1de21bb9ff1e7b43f4f8046404be973efc76a836e
SHA256b852e034b2b55533a2a8d1289a4f80f772347008a150b9fa75608606ba3c1f36
SHA512d9f065e617c825c1cca43d63fb0775b7261c4c1f50bd44e7ddc95d522ad2941e323361c9f5769972cb0fa2f970a23918f06b2426d882d59ca096cf4498fb6140
-
C:\ProgramData\AMMYY\settings3.binMD5
714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8
-
memory/584-0-0x0000000000000000-mapping.dmp