Overview

overview

10

Static

static

10

aa.exe

windows7-x64

10

aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    20/07/2023, 11:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa.exe

  • Size

    755KB

  • MD5

    11bc606269a161555431bacf37f7c1e4

  • SHA1

    63c52b0ac68ab7464e2cd777442a5807db9b5383

  • SHA256

    1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

  • SHA512

    0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

  • SSDEEP

    12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa.exe
    "C:\Users\Admin\AppData\Local\Temp\aa.exe"
    1⤵
      PID:1360
    • C:\Users\Admin\AppData\Local\Temp\aa.exe
      "C:\Users\Admin\AppData\Local\Temp\aa.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\aa.exe
        "C:\Users\Admin\AppData\Local\Temp\aa.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2832

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      f769ed72ee69c8659a0152693aacaefa

      SHA1

      f82b4bb31eaac7960349df21c71c03901918d285

      SHA256

      714892561c145f8e02ee7436a6335d459513b7bfe6b3e9d7c4e6dee24d1b73d3

      SHA512

      0995caba7f3040f01e35538d1339d9875045990a4ec9328bf5a8b54d8f8f243c1451edb0979affc043fca5a5d7540836050ddcf77c8258cc5ecd64ee4edb49ce

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      6185640f34e6981518fa442ef41eb46a

      SHA1

      509bbb4139376d474fe7c26fc61ef2d321a973c7

      SHA256

      8d0dbd9c1856ea679f7ddd6964ffe38d0443eb3c4c765b8b74b4c1ed07f2dbd5

      SHA512

      ec8c8719ac6b60d7b271e36a0448b48d9803a3cbe304a21117d842322ef0c4685c9147f550e99fccaed8aaa52b0e535e0a0834510a005dd5b1bed5fb7c98cbf7

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit