Overview

overview

10

Static

static

10

0b7751b440...5e.exe

windows7-x64

10

0b7751b440...5e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/11/2022, 10:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe

  • Size

    854KB

  • MD5

    3238426bf8f438b4abcd3db787ac0258

  • SHA1

    f3cfe3bbbcaae85059cea6645dc6016425025f8f

  • SHA256

    0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e

  • SHA512

    d8b8674962e4f53c59ba408a8ac271b4cec4777d425eee6f8bc21a3aae2e52dc6ed00abf475722442b029c55cccbfafdf1ee4bc21969648398625fbd780e98bf

  • SSDEEP

    12288:CQCs07y2blQDJy++/l21RtSckhwLhZ+Ehgu52yDOve/7Or5:4s07dlQDJyq1RtlkiLhZ+xugyDKP5

Score
10/10
ammyyadminflawedammyyevasionpersistencerattrojan

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

    ratammyyadmin
  • AmmyyAdmin payload 8 IoCs
  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 2 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Program Files directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Modifies visibility of file extensions in Explorer
      • Executes dropped EXE
      • Adds Run key to start application
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      PID:5104
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5104 -s 728
        3⤵
        • Program crash
        PID:1884
  • C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe
    "C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe" -service -lunch
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Documents and Settings\tazebama.dl_
      "C:\Documents and Settings\tazebama.dl_"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3236
    • C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe
      "C:\Users\Admin\AppData\Local\Temp\0b7751b440662fe01cb16aaa74d3d83a149fe2b9a375111f6821e90522b6a55e.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1276
      • C:\Documents and Settings\tazebama.dl_
        "C:\Documents and Settings\tazebama.dl_"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:4116
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5104 -ip 5104
    1⤵
      PID:816

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Documents and Settings\hook.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Documents and Settings\hook.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Documents and Settings\tazebama.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Documents and Settings\tazebama.dll
      Filesize

      32KB

      MD5

      b6a03576e595afacb37ada2f1d5a0529

      SHA1

      d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

      SHA256

      1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

      SHA512

      181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      Download Submit

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      9e91b69b444b246ca2fdc18543e2956f

      SHA1

      483e4f71596cfb9e643fb3787cde9385369b453d

      SHA256

      8ea29a2b6eef8babced7a7e3329702415d5e12372b85fa20853a1345347b6fdf

      SHA512

      3f2f176c72a78ff783b99d1e1b9dc6d3aaf1aab8716f412f77c0d4f8f7fc4855b470cb688cf5e438ee99b8026de130a279edb50c78681a819a28a189c80d53e5

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      cdf8c52c521856032168a12daf4eee8a

      SHA1

      7eba00622efd726e4c34a800ef17a005db3f250a

      SHA256

      5d239bf6eeed2b63ee1a296bb5a024731e2509da1bd33c1e42fa05ab65d827a5

      SHA512

      2d41d669c8568715fb580906a80aba6a4d4eae6ef3747eccebfd8c6b2f3b97dc0aefaf905095ce7cf17a2f678bf1c21a18a6c80318640a46639e6afbef5fa5db

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      269B

      MD5

      097a18ed7b31114c7ef39ef06eff02f0

      SHA1

      276bb5fc8ab72ed3a447dd57be668ace8f75a7c1

      SHA256

      985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812

      SHA512

      168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96

      Download Submit

    • C:\Users\tazebama.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Users\tazebama.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Users\tazebama.dl_
      Filesize

      151KB

      MD5

      539bb6ee5703e1b1ed35b1ad5982eb4b

      SHA1

      f5d9c455811df9c118b7470bdb50b156405f8882

      SHA256

      d7bba91b1381dedb38750be5ef43f98d94665b7e1100d54aa695163479e469d7

      SHA512

      963c69493caad3c9b9eacc3c2894f864a68b7cd8e0660e2e7feb958c671dfff87a955b908c7f0add980e215db043161713c3882121b66d396b3eb0299fda67e4

      Download Submit

    • C:\Users\tazebama.dll
      Filesize

      32KB

      MD5

      b6a03576e595afacb37ada2f1d5a0529

      SHA1

      d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

      SHA256

      1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

      SHA512

      181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      Download Submit

    • C:\Users\tazebama.dll
      Filesize

      32KB

      MD5

      b6a03576e595afacb37ada2f1d5a0529

      SHA1

      d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

      SHA256

      1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

      SHA512

      181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      Download Submit

    • C:\Users\tazebama.dll
      Filesize

      32KB

      MD5

      b6a03576e595afacb37ada2f1d5a0529

      SHA1

      d598d4d0e70dec2ffa2849edaeb4db94fedcc0b8

      SHA256

      1707eaf60aa91f3791aa5643bfa038e9d8141878d61f5d701ebac51f4ae7aaad

      SHA512

      181b7cc6479352fe2c53c3630d45a839cdeb74708be6709c2a75847a54de3ffc1fdac8450270dde7174ecb23e5cb002f8ce39032429a3112b1202f3381b8918c

      Download Submit

    • memory/384-134-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/384-132-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/384-150-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/552-141-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/552-152-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/1276-157-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/1276-154-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/1276-160-0x0000000000400000-0x00000000004B5000-memory.dmp

      Filesize

      724KB

      Download

    • memory/3236-145-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4116-155-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download

    • memory/5104-156-0x0000000000400000-0x0000000000416000-memory.dmp

      Filesize

      88KB

      Download