Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-07-2023 06:27

General

  • Target

    Device/HarddiskVolume2/Rahman/Shared_Document/Discoverer/Softwares/Remote connection softwares/AA_v3.5.exe

  • Size

    746KB

  • MD5

    2cbf5657ffd8858a9597f296a60270c2

  • SHA1

    b130611c92788337c4f6bb9e9454ff06eb409166

  • SHA256

    9b3f4d6a9bae4d7f9cfe45e706db8fe4baef51ae12353941e8b1532b231e6eac

  • SHA512

    06339a299c8c9ce55e9b96582e54e0bf9e04f894ceb47c07486adf8b0140c2a01fd0932207aca8112ee0b16ba8711fee9435e37339aafb94f167b5a736ee7d0b

  • SSDEEP

    12288:6NgEvTkYGzXUMA7PTgM0YOg26y4RtcxcUwhqb3omaY80NP6gL:6XTszE7PTgM0YOgA4RtcbwhsSYFVL

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
    1⤵
      PID:440
    • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
        "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2200

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      ac323403c9d8a31f4ec297b46e96eb3f

      SHA1

      81954c74cd9de3c0ecb5db7c35f220af7ae3ecc2

      SHA256

      a62fb87bb81fe6779565b5f9a83e90d83f5852e7b1a42312f0183aac425507aa

      SHA512

      3bad9c20155d653d0e94685bcdaa407c2c296c7f5e93b33c83c3aef197086bfebce01a00f9caa6ae18bcc9d82d0c097321f8fcdc0a564463e8f69eb37748dc95

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      1c2317867950c4b3d1a11a28e2cfcd82

      SHA1

      2d6a339fb9cf7ae87258f9cd0f7043341ffae748

      SHA256

      b7aacd30c61f525df2b2683a0bcab426bcb7d016c8cf1ee768b885ac9bc7bc3e

      SHA512

      a07537506776e249c185b253cb82282d0704f70491539caa904f0c0d5a265adbe0d77c68fc40b8452f29d7a5cc5f6ffa6dfb433f625c92af0bd96941bf1072fe

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8