Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

test/91B5D...9D.msi

windows7_x64

8

test/91B5D...9D.msi

windows10-2004_x64

1

test/ed01e...aa.exe

windows7_x64

10

test/ed01e...aa.exe

windows10-2004_x64

10

test/fe9d7...8f.exe

windows7_x64

10

test/fe9d7...8f.exe

windows10-2004_x64

10

test/main.exe

windows7_x64

1

test/main.exe

windows10-2004_x64

10

test/main_temp.exe

windows7_x64

1

test/main_temp.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    27s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-ja-20211208
  • submitted
    19/01/2022, 15:40 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test/fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe

  • Size

    3.6MB

  • MD5

    743a6891999db5d7179091aba5f98fdb

  • SHA1

    eeca4b8f88fcae9db6f54304270699d459fb5722

  • SHA256

    fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f

  • SHA512

    9edef033663c828536190332ec87ac0096ffddae934d17c51b255a55ecb05774211a0edb1915c19384641befa291cfdfd2e3f878bf3b827f8b203ec1bee9dd96

Score
10/10
flawedammyyevasionpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer Automatic Crash Recovery 1 TTPs 1 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe
    "C:\Users\Admin\AppData\Local\Temp\test\fe9d72dd4b046bafdd144902ab570297629f83d06afb5a9ba7703382a29d588f.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • Modifies Internet Explorer Automatic Crash Recovery
    • Modifies Internet Explorer Protected Mode Banner
    • Modifies Internet Explorer settings
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Program Files (x86)\SinTech\TextEdit.exe
      "C:\Program Files (x86)\SinTech\TextEdit.exe"
      2⤵
      • Executes dropped EXE
      PID:800
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed" & sc description Wlanspeed "Wlanspeed service" && netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe" && netsh advfirewall firewall add rule name="Wlanspeed" dir=out action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\sc.exe
        sc create Wlanspeed binpath= "C:\ProgramData\Wlanspeed\wlanspeed.exe -service" start= auto displayname= "Wlanspeed"
        3⤵
          PID:1944
        • C:\Windows\SysWOW64\sc.exe
          sc description Wlanspeed "Wlanspeed service"
          3⤵
            PID:632
          • C:\Windows\SysWOW64\netsh.exe
            netsh advfirewall firewall add rule name="Wlanspeed" dir=in action=allow profile=any description="Wlanspeed service" program="C:\programdata\Wlanspeed\wlanspeed.exe"
            3⤵
              PID:1316
          • C:\ProgramData\Wlanspeed\wlanspeed.exe
            "C:\ProgramData\Wlanspeed\wlanspeed.exe" -getid -nogui
            2⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetWindowsHookEx
            PID:1104
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
            2⤵
              PID:1544

          Network

          • flag-us
            DNS
            rl.ammyy.com
            wlanspeed.exe
            Remote address:
            8.8.8.8:53
            Request
            rl.ammyy.com
            IN A
            Response
            rl.ammyy.com
            IN A
            188.42.129.148
          • flag-nl
            POST
            http://rl.ammyy.com/
            wlanspeed.exe
            Remote address:
            188.42.129.148:80
            Request
            POST / HTTP/1.1
            Content-Type: application/x-www-form-urlencoded
            Host: rl.ammyy.com
            Content-Length: 251
            Cache-Control: no-cache
            Response
            HTTP/1.1 200 OK
            Date: Wed, 19 Jan 2022 15:41:28 GMT
            Server: Apache
            X-Powered-By: PHP/5.4.16
            Content-Length: 248
            Content-Type: text/html
          • 188.42.129.148:80
            http://rl.ammyy.com/
            http
            wlanspeed.exe
            569 B
             516 B
             4
            3

            HTTP Request

            POST http://rl.ammyy.com/

            HTTP Response

            200
          • 136.243.104.242:443
            https
            wlanspeed.exe
            272 B
             176 B
             5
            4
          • 8.8.8.8:53
            rl.ammyy.com
            dns
            wlanspeed.exe
            58 B
             74 B
             1
            1

            DNS Request

            rl.ammyy.com

            DNS Response

            188.42.129.148

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/516-54-0x0000000074EB1000-0x0000000074EB3000-memory.dmp

            Filesize

            8KB

            Download

          • memory/800-63-0x0000000000240000-0x0000000000246000-memory.dmp

            Filesize

            24KB

            Download

          • memory/800-64-0x000000001AF70000-0x000000001AF72000-memory.dmp

            Filesize

            8KB

            Download

          • memory/800-65-0x000000001B460000-0x000000001B742000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/800-61-0x0000000000940000-0x000000000095C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/1104-71-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

            Filesize

            3.8MB

            Download

          We care about your privacy.

          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.