Analysis

  • max time kernel
    152s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 15:03

General

  • Target

    7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe

  • Size

    750KB

  • MD5

    26c5005b85c01d3d38213a1f91e4f37f

  • SHA1

    8612bbad1bdb8e8ee4d2d09d49794e5e90eb74e1

  • SHA256

    7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404

  • SHA512

    e18284fdd4701225d23236e723e5cc7d03aa8642852a76907441ff63a00d8141b4ef999f0fba2ca2d4caae1e865c98b803e3efcb36139b3667fe4a5149c2f83a

  • SSDEEP

    12288:4eZpoosVoyMZ19L4t1/TdEv4Rt1AD6x64+6dsavVUWgJ:4etSwZ190t1/Tm4Rts6wlAshTJ

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
    "C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
    1⤵
      PID:1764
    • C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
      "C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2452
      • C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
        "C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2620

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      6a96ee96670ef4bacdb4ec11eb4ac571

      SHA1

      a93cffb624b317889468c2ed1145eec0bff1e4d9

      SHA256

      6103a4b5b392766373a83be7eaf1fbf7f2e53b6d2579bce7e7189c10477a0496

      SHA512

      bffec1abfa5489f837d17a3651b491c01591f3cc21d27672a6e05c872be63ba527e38d44b0da67f50ef89c04f758e5010b43a9cef4ada3f37af9bcacb52ae1c3

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      334b86b448ba57cc53b675725af1e2ae

      SHA1

      b8592f3ee4a02a9440c482c24aceac152e2283c4

      SHA256

      b21bdd50799ac82e98c1df7e68d16f3cecd8743464ea017f0648ab38b7e33277

      SHA512

      892033d019b17580b739359f9363a8de44840dd0a0457e36b498592068c6091bf45a8703002892f12f98b452d00c52c7a3333ae9d7f1f85b17236527bd2484ce

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8