Overview

overview

10

Static

static

10

AA_v3.5.exe

windows7-x64

10

AA_v3.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    19-07-2023 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.5.exe

  • Size

    751KB

  • MD5

    5686a7032e37087f0fd082a04f727aad

  • SHA1

    341fee5256dcc259a3a566ca8f0260eb1e60d730

  • SHA256

    43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153

  • SHA512

    0ebd95b20ef54d047fdaec37cfb10e2c39ea9d63fa28d6a6848ec11b34a4c4ec5f7a8a430d81670461203b9e675ac4a32cac3da4a1c471f16e8d003c6dea3345

  • SSDEEP

    12288:oPO1fNZApVuCN7e/yalnM4RtjLDXcbOAS3snvVgbgJ:om1fN6pkCNa/yaq4RtjXcu3sSEJ

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
    1⤵
      PID:2508
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2420

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      e2d69555ad24ec3a110ff9ea70b319a2

      SHA1

      7e810d573e730578d7db8d57d9ab6f1cd364bd09

      SHA256

      fadf4ee2c25fca9f527b8e70714dc98537c8b4961578703698526b00cf6d0442

      SHA512

      fe562794cc527d49eaec7ffbb47b42d5592e14e7ae01c0d066ee252dc8636619663bd9e3ca926009a8b7eefc00f4db176b5f3d2a048a455a4b0ee2e5b2bc7610

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      4cc111537f5f7e2d89df00a82485e529

      SHA1

      0559c26ccf609e5100dfa0f6c0417adb61e457ee

      SHA256

      ad52151f270551c8fe20c2cea4cd216a85b428693651dd1213c8e053d676b252

      SHA512

      c179d43e9ae8150276b5f1cd9d2b2e07bd53096be87d98a57be728f85bf39afe1131bd4297c79d5b376985a9667ac64af5431263da05aa9d34c7da001dae9945

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit