Analysis

  • max time kernel
    127s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    15-06-2023 11:59

General

  • Target

    AA_v3.exe

  • Size

    782KB

  • MD5

    390ddaff20160396e7490b239b4cad9b

  • SHA1

    44c10c691fc2639b3436abe8dc25542ff5a73067

  • SHA256

    357230056c30b4d7a7d697114d3d90ddc9a13dcb174a9a6d1f74c950e5bcd570

  • SHA512

    fd9d519d5e0f3c7d5ac55d594ef23eff6b96e45efe582b8f2fb88c657d76dd4966de73faf4dcea02913940a46c2aa9a6cec8748bcdfb43530e0b3228f8eb833b

  • SSDEEP

    12288:bWJDVSwZtyHFaMhY1SPEKH0OERt4PMsajW0pSEV3fugE:q7FZtoFaiY1SsKpERtMMRy0ptf7E

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
      PID:836
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1724

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      282B

      MD5

      ac7221c691ef0a93dbbb5bee6efcb7ec

      SHA1

      54f197fef16badefb4bf0d7339f6bd1099e505da

      SHA256

      b6b033b71d3f7f92986e32a61b3244b9856e82a9c3d233696a0dfa29a517106f

      SHA512

      226299ab1b7b388473163f4fecc41d536755586b4c275475128c5e5946554cd9ca69df223469130d85516f2ac2330a2cb35dec2879355ea0186b63d8429dcd6b