Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 15:14

General

  • Target

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

  • Size

    746KB

  • MD5

    f8cd52b70a11a1fb3f29c6f89ff971ec

  • SHA1

    6a0c46818a6a10c2c5a98a0cce65fbaf95caa344

  • SHA256

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

  • SHA512

    987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe

  • SSDEEP

    12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
    "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
    1⤵
      PID:2888
    • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
        "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2808

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      2cbb8be561d9c16a3ed0c912d65f2a1a

      SHA1

      6e42d690cedf002197263a9ca32064d97eb9127b

      SHA256

      d1f696145c72a0ba3d12302210e73215df6f77918e06e7b8d85675301648c190

      SHA512

      488b6f006253c0c246979c72bfce0b00fb6a622dfeaf4aa3ec43c0ceefaa4119558953f473109153324f7f2994239ecbd85298dcf810d47db8e5029a69f69eea

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      c406ccab2cb70d086e24454b7a5fb83c

      SHA1

      db1acc08b9767518bbf7de2ab3ab4750be094097

      SHA256

      801724a6639045a4cf12a2cca17db4008284a5b9d45963c38cf307c4babbd69d

      SHA512

      c7f29f1ab313bab9b4b617cfea5d15c1be5651ae5ad718b91cc4cab58727fb8b950c0a1d7748287b6ee81f7bcf6b5b4406e5ff278d9eef8c8a9f6a32222b3ca2

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8