Analysis
-
max time kernel
151s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 15:14
Behavioral task
behavioral1
Sample
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Resource
win10v2004-20231127-en
General
-
Target
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
-
Size
746KB
-
MD5
f8cd52b70a11a1fb3f29c6f89ff971ec
-
SHA1
6a0c46818a6a10c2c5a98a0cce65fbaf95caa344
-
SHA256
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
-
SHA512
987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe
-
SSDEEP
12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe -
Modifies data under HKEY_USERS 7 IoCs
Processes:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953977284813e7bb26b 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4d8753afb210d883acc3aebafd730c08c40f8beb5920abf001ec0e18a4a1744ddd5478da770961e07406d640bb571d06ed577744a0a22f0a675af9d7eaee69dc6cd91075 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exepid process 2808 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exepid process 2808 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exedescription pid process target process PID 2716 wrote to memory of 2808 2716 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe PID 2716 wrote to memory of 2808 2716 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe PID 2716 wrote to memory of 2808 2716 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe PID 2716 wrote to memory of 2808 2716 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"1⤵PID:2888
-
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD52cbb8be561d9c16a3ed0c912d65f2a1a
SHA16e42d690cedf002197263a9ca32064d97eb9127b
SHA256d1f696145c72a0ba3d12302210e73215df6f77918e06e7b8d85675301648c190
SHA512488b6f006253c0c246979c72bfce0b00fb6a622dfeaf4aa3ec43c0ceefaa4119558953f473109153324f7f2994239ecbd85298dcf810d47db8e5029a69f69eea
-
Filesize
68B
MD5c406ccab2cb70d086e24454b7a5fb83c
SHA1db1acc08b9767518bbf7de2ab3ab4750be094097
SHA256801724a6639045a4cf12a2cca17db4008284a5b9d45963c38cf307c4babbd69d
SHA512c7f29f1ab313bab9b4b617cfea5d15c1be5651ae5ad718b91cc4cab58727fb8b950c0a1d7748287b6ee81f7bcf6b5b4406e5ff278d9eef8c8a9f6a32222b3ca2
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8