Overview

overview

10

Static

static

10

AA_v3.exe

windows7-x64

10

AA_v3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 06:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score
10/10
flawedammyybootkitpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 11 IoCs
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    PID:3336
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3060
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3204
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3260

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.log
    Filesize

    4KB

    MD5

    5564daf0d656dbf4330f3acd6110c9a3

    SHA1

    5f48aff026bcec71b635884e7d60dd329b6722b1

    SHA256

    fd333420b028fbc1d1e972b4494320097a27538af041c0ffeb1c87557a6a31a2

    SHA512

    0ab43ca0da98e10c1ac83c0c8c9744b7bede9bfcc65be9d449e71ae788c89a642bf30742cc8e7d2f127feb0a062c12abeaa9c00a8b9846abbb4bfc49aa046b7f

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.msg
    Filesize

    46B

    MD5

    3f05819f995b4dafa1b5d55ce8d1f411

    SHA1

    404449b79a16bfc4f64f2fd55cd73d5d27a85d71

    SHA256

    7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

    SHA512

    34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    327B

    MD5

    4c462159d7bef2d9a4096f146d551b58

    SHA1

    9b9b092e0b3bcc7b50da2bac7bc9695036e09801

    SHA256

    f49e6805556377193a6f7e6a152ef67221f1f6db3bc7fa526aaf1428e3840ff3

    SHA512

    d9b71c1e6f95cac12cc0fca36d4d074c9f02b597ea88d6d7a370dcee4f6d6ceac5e713390eda2835fdba4de8413e0d55750863a3722bf0ed798e6ac4a59f0fc8

    Download Submit

  • memory/3260-183-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-169-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-150-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-199-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-214-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-226-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-242-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/3260-257-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download