Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    158s
  • max time network
    182s
  • platform
    windows7_x64
  • resource
    win7-20231025-en
  • resource tags

    arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2023, 15:04 UTC

General

  • Target

    d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe

  • Size

    762KB

  • MD5

    e9b569f7cbf23d91df065c18f4c43840

  • SHA1

    5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad

  • SHA256

    d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605

  • SHA512

    a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb

  • SSDEEP

    12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
    "C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
    1⤵
      PID:1920
    • C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      "C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1016
      • C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
        "C:\Users\Admin\AppData\Local\Temp\d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2928

    Network

    • flag-us
      DNS
      rl.ammyy.com
      d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      Remote address:
      8.8.8.8:53
      Request
      rl.ammyy.com
      IN A
      Response
      rl.ammyy.com
      IN A
      188.42.129.148
    • flag-nl
      POST
      http://rl.ammyy.com/
      d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      Remote address:
      188.42.129.148:80
      Request
      POST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: rl.ammyy.com
      Content-Length: 204
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Fri, 01 Dec 2023 15:23:54 GMT
      Server: Apache
      X-Powered-By: PHP/5.4.16
      Content-Length: 136
      Content-Type: text/html
    • 188.42.129.148:80
      http://rl.ammyy.com/
      http
      d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      890 B
      764 B
      12
      5

      HTTP Request

      POST http://rl.ammyy.com/

      HTTP Response

      200
    • 136.243.104.242:443
      https
      d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      416 B
      299 B
      8
      7
    • 8.8.8.8:53
      rl.ammyy.com
      dns
      d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605.exe
      58 B
      74 B
      1
      1

      DNS Request

      rl.ammyy.com

      DNS Response

      188.42.129.148

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      274B

      MD5

      bcc40b676c5b0f5a176be92cc8f4199f

      SHA1

      5415364e6ab90151eb1272268cb75ef6c4306a2f

      SHA256

      d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826

      SHA512

      467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.