Analysis
-
max time kernel
152s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 15:03
Behavioral task
behavioral1
Sample
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Resource
win10v2004-20231127-en
General
-
Target
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
-
Size
750KB
-
MD5
26c5005b85c01d3d38213a1f91e4f37f
-
SHA1
8612bbad1bdb8e8ee4d2d09d49794e5e90eb74e1
-
SHA256
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404
-
SHA512
e18284fdd4701225d23236e723e5cc7d03aa8642852a76907441ff63a00d8141b4ef999f0fba2ca2d4caae1e865c98b803e3efcb36139b3667fe4a5149c2f83a
-
SSDEEP
12288:4eZpoosVoyMZ19L4t1/TdEv4Rt1AD6x64+6dsavVUWgJ:4etSwZ190t1/Tm4Rts6wlAshTJ
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953779a63a3217bb26b 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb249cff547072c67d3b71518cf1a555ea3cecb630aaa79449b04fd707c4b4a3baec3a19c87668b6e93af60c01eabf768126198f4caafa4a70d426a70f189eb297e199de 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exepid process 2620 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exepid process 2620 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exedescription pid process target process PID 2452 wrote to memory of 2620 2452 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe PID 2452 wrote to memory of 2620 2452 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe PID 2452 wrote to memory of 2620 2452 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe PID 2452 wrote to memory of 2620 2452 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"1⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD56a96ee96670ef4bacdb4ec11eb4ac571
SHA1a93cffb624b317889468c2ed1145eec0bff1e4d9
SHA2566103a4b5b392766373a83be7eaf1fbf7f2e53b6d2579bce7e7189c10477a0496
SHA512bffec1abfa5489f837d17a3651b491c01591f3cc21d27672a6e05c872be63ba527e38d44b0da67f50ef89c04f758e5010b43a9cef4ada3f37af9bcacb52ae1c3
-
Filesize
68B
MD5334b86b448ba57cc53b675725af1e2ae
SHA1b8592f3ee4a02a9440c482c24aceac152e2283c4
SHA256b21bdd50799ac82e98c1df7e68d16f3cecd8743464ea017f0648ab38b7e33277
SHA512892033d019b17580b739359f9363a8de44840dd0a0457e36b498592068c6091bf45a8703002892f12f98b452d00c52c7a3333ae9d7f1f85b17236527bd2484ce
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8