Overview

overview

10

Static

static

10

4731517b19...c9.exe

windows7-x64

10

4731517b19...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 15:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

  • Size

    726KB

  • MD5

    190785b2bb664324334c1b5231b5c4b0

  • SHA1

    07539abb2623fe24b9a05e240f675fa2d15268cb

  • SHA256

    4731517b198414342891553881913565819509086b8154214462788c740b34c9

  • SHA512

    ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

  • SSDEEP

    12288:8YdNctvsfu2LVBfKf057C9lRt3i5olGJsxhzagH:HdNikfu2hBfK8ilRty5olGJsxNH

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
    "C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
    1⤵
      PID:2924
    • C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
      "C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
        "C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2368

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      c69a96d2f781281f7508e08f1a0f95fb

      SHA1

      130383ffa4974d99456f3fc4189e464f3de3e90b

      SHA256

      39b10beb0035aa6bb2c424669d333077ff24625223433bf329c20bfdee4dcc5b

      SHA512

      74fb6c0aeff16fb81b231081badc3df4f57bca5972e7aa517c8433383f13af1381b121330e48f69de71fcf7f41981d8b99b481c9fda00b9f9529455ec8019ede

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      642e2d4c03ee37296c610dc53ebeca51

      SHA1

      b87401fcca031cece87a3a08477ad72e9f2888e8

      SHA256

      08c9bb8eb0355b0695d04f340434ef83e233e3aadaf22dd3b14e38f08d25ede6

      SHA512

      93049bc9d9c5117401f4a964941f7e0b972d09443bfedbfc1b58fd3ca56533d781f8f381b6de03b6b3830127046653ef23a5aa1479316d6c00747b8cffdc750c

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      4cb889e527b0d0781a17f6c2dd968129

      SHA1

      6a6a55cd5604370660f1c1ad1025195169be8978

      SHA256

      2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

      SHA512

      297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

      Download Submit