Overview

overview

10

Static

static

ฺฺฺà...ฺฺ

windows10_x64

10

ฺฺฺà...ºà¸º1m

windows10_x64

10

Analysis

  • max time kernel
    60s
  • max time network
    58s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    21-11-2020 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.5_Corporate.bin.exe

  • Size

    751KB

  • MD5

    4d853025b8cd8c725bf78e3df6cce967

  • SHA1

    c6bff7857fdf33cbd8f052ef5d669675e5cf06f8

  • SHA256

    4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8

  • SHA512

    977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Drops file in System32 directory 5 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"
    1⤵
      PID:1044
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.5_Corporate.bin.exe"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:584

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      MD5

      ca904b9a6a2896172ac279bab9d97e1e

      SHA1

      2e1e660fc0dbfb225a0f9c0c552639317e13055a

      SHA256

      05fa3419e8642ddf5ebd6471780e1a1b22c5106cc8a1dbe6d64241bd57a44d77

      SHA512

      28b5dee710499ca4f1779676c48c1243e5f69161462b0f5553238ff404e3e498ebbe51cb63e6d8d621ca5da9fae3bf1b431e3ab8c62a54e401b00e9bcadc3f80

      Download Submit
    • C:\ProgramData\AMMYY\hr3
      MD5

      d53c811e188cebb62764773b31e83c01

      SHA1

      de21bb9ff1e7b43f4f8046404be973efc76a836e

      SHA256

      b852e034b2b55533a2a8d1289a4f80f772347008a150b9fa75608606ba3c1f36

      SHA512

      d9f065e617c825c1cca43d63fb0775b7261c4c1f50bd44e7ddc95d522ad2941e323361c9f5769972cb0fa2f970a23918f06b2426d882d59ca096cf4498fb6140

      Download Submit
    • C:\ProgramData\AMMYY\settings3.bin
      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit
    • memory/584-0-0x0000000000000000-mapping.dmp
      Download