Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2023 11:31
Behavioral task
behavioral1
Sample
08917699.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
08917699.exe
Resource
win10v2004-20230220-en
General
-
Target
08917699.exe
-
Size
776KB
-
MD5
e3a944626a6932d5625b4e956781d8c5
-
SHA1
21022d5300a201433e84b18f8e4f1c94fd0904fe
-
SHA256
e682ea6f18a526c3f0d8e7b6f3673b05e8e211a29fe3274423756d4731289224
-
SHA512
d9e43d846c74a3db8bf96aa554c6216119f89d296c85ab0396c5000944ed0e6cabcf8a6b437aa22feaac56584ad1fe167f98434b6551377b400dbda0f360659c
-
SSDEEP
12288:KWeiVSRZI3HAaMhYBSJEKH0OERt4PMsajW0pSEVJjgjX:lHIZI3AaiYBSGKpERtMMRy0pDcjX
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
08917699.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation 08917699.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
08917699.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 08917699.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 08917699.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 08917699.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 08917699.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4f5c93d0e777ade2ca2d7efbe7d82cd03a773a1b54538db160a8d0a79867ede586a2261c487a6ec6b2cac3c8c7652cbdb454e18b9d079b377b3f7aaf9415f819c7bf15d42a 08917699.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
08917699.exepid process 2720 08917699.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
08917699.exepid process 2720 08917699.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
08917699.exedescription pid process target process PID 2392 wrote to memory of 2720 2392 08917699.exe 08917699.exe PID 2392 wrote to memory of 2720 2392 08917699.exe 08917699.exe PID 2392 wrote to memory of 2720 2392 08917699.exe 08917699.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\08917699.exe"C:\Users\Admin\AppData\Local\Temp\08917699.exe"1⤵PID:852
-
C:\Users\Admin\AppData\Local\Temp\08917699.exe"C:\Users\Admin\AppData\Local\Temp\08917699.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Users\Admin\AppData\Local\Temp\08917699.exe"C:\Users\Admin\AppData\Local\Temp\08917699.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318B
MD58411a75a1e371db9594e9943e3c6c850
SHA1575abe26802724d1436d6083ff17802bc66a793c
SHA2561a621d89ef9377869faf8c6bf1af7e6a370d12054f21ecdeb9ba266815929d10
SHA512b83f349899a9c4a99a50120d5d55a6d4ded9373db3dbf26a24abf4e80254a1119483ec00d0fb58b13ade78a868705b5f55cfc829ffc12082a54e7111c34c1fc3