Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
20-09-2023 06:41
Behavioral task
behavioral1
Sample
Device/HarddiskVolume3/Users/WissamIH/Downloads/Unconfirmed 517520.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
Device/HarddiskVolume3/Users/WissamIH/Downloads/Unconfirmed 517520.exe
Resource
win10v2004-20230915-en
General
-
Target
Device/HarddiskVolume3/Users/WissamIH/Downloads/Unconfirmed 517520.exe
-
Size
798KB
-
MD5
90aadf2247149996ae443e2c82af3730
-
SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502
-
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
-
SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
SSDEEP
24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
Unconfirmed 517520.exedescription ioc Process File opened for modification \??\PhysicalDrive0 Unconfirmed 517520.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Unconfirmed 517520.exepid Process 2332 Unconfirmed 517520.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Unconfirmed 517520.exedescription pid Process procid_target PID 1264 wrote to memory of 2332 1264 Unconfirmed 517520.exe 29 PID 1264 wrote to memory of 2332 1264 Unconfirmed 517520.exe 29 PID 1264 wrote to memory of 2332 1264 Unconfirmed 517520.exe 29 PID 1264 wrote to memory of 2332 1264 Unconfirmed 517520.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"1⤵
- Writes to the Master Boot Record (MBR)
PID:1728
-
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\WissamIH\Downloads\Unconfirmed 517520.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2332
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
327B
MD59cf7dbafc73193c3813920793b9ad924
SHA16f5b6f291eecac2c66a8635f0074a879b71d54f6
SHA256a08d9c83e04425e1246dfbf0d5f94b8061ee1963e4ddb2dcd3166de2981e602d
SHA51204a874a6ac352e6ea79142f3be28af1f9434788b7955749414d4a5119721e798215af196b2b2b084b84f99999725d9e3391a9873ed3982be54b3af6fe360a5ef