Analysis

  • max time kernel
    153s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 02:29

General

  • Target

    AMMYY_Admin.exe

  • Size

    651KB

  • MD5

    b730e7b8f3eebd51dc21d7997313b890

  • SHA1

    57ef7a2d07f3703f84c1d7ad33e34e550d23a6fa

  • SHA256

    e4a87095c27219afe9c7a3cb01c13de899e201d2340748a5fc446207c8f99b2a

  • SHA512

    05e87e0ac0e6c097cec3e3801c66752f1a69bd3f8b732062b16596fd4e46388e66eb2e4455ede69769dad62cb7a063849cc2199c140c6ba6a498173eaafe051d

  • SSDEEP

    12288:caA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6mi/gQ:AkK+waI8JRQMEJ2rufRtse9rtv8zlBi3

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 12 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
    "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"
    1⤵
      PID:1452
    • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
      "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe
        "C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"
        2⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings.bin

      Filesize

      76B

      MD5

      090bba5cbe9cd62189310f633f14d686

      SHA1

      0ce1d78aace04650b0c592665686a89412c1771c

      SHA256

      7bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8

      SHA512

      846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7