Overview

overview

10

Static

static

10

tmp.exe

windows10-2004-x64

10

Resubmissions

17-10-2023 14:16

231017-rk8n9scd4t 10

17-10-2023 14:14

231017-rj57racd3y 10

18-01-2023 09:10

230118-k42xhadg39 10

Analysis

  • max time kernel
    110s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    17-10-2023 14:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score
10/10
flawedammyybootkitpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 12 IoCs
  • Modifies data under HKEY_USERS 14 IoCs
  • Suspicious behavior: SetClipboardViewer 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    PID:4824
  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe" -service -lunch
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious behavior: SetClipboardViewer
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Loads dropped DLL
        PID:4856

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.msg
    Filesize

    46B

    MD5

    3f05819f995b4dafa1b5d55ce8d1f411

    SHA1

    404449b79a16bfc4f64f2fd55cd73d5d27a85d71

    SHA256

    7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

    SHA512

    34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    327B

    MD5

    530db80e26eb8e96b32ae314003df5d7

    SHA1

    4f0cabc834e652a165d22446a518243e84bd2448

    SHA256

    19a98d1d4497478c4731e6548b7016671b66cc5b34924d74bff3247f4641cd2c

    SHA512

    da5c11727a4664f50932decb12d9dad2779b5f4b7c235c138fb3fa0dc73f532b4e8eed4aa71776385bd4ca405b4ab3cd3e499158f3c192034d8999e61420aed3

    Download Submit

  • memory/4856-17-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download