Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2023 06:41

General

  • Target

    Device/HarddiskVolume3/Users/WissamIH/Downloads/Unconfirmed 517520.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    PID:1728
  • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe
    "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe" -service -lunch
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1264
    • C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe
      "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    327B

    MD5

    9cf7dbafc73193c3813920793b9ad924

    SHA1

    6f5b6f291eecac2c66a8635f0074a879b71d54f6

    SHA256

    a08d9c83e04425e1246dfbf0d5f94b8061ee1963e4ddb2dcd3166de2981e602d

    SHA512

    04a874a6ac352e6ea79142f3be28af1f9434788b7955749414d4a5119721e798215af196b2b2b084b84f99999725d9e3391a9873ed3982be54b3af6fe360a5ef