Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

6f2258383b...20.exe

windows7-x64

10

6f2258383b...20.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01/12/2023, 15:14 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe

  • Size

    746KB

  • MD5

    f8cd52b70a11a1fb3f29c6f89ff971ec

  • SHA1

    6a0c46818a6a10c2c5a98a0cce65fbaf95caa344

  • SHA256

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

  • SHA512

    987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe

  • SSDEEP

    12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 7 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
    "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
    1⤵
      PID:2888
    • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
        "C:\Users\Admin\AppData\Local\Temp\6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2808

    Network

    • flag-us
      DNS
      rl.ammyy.com
      6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      Remote address:
      8.8.8.8:53
      Request
      rl.ammyy.com
      IN A
      Response
      rl.ammyy.com
      IN A
      188.42.129.148
    • flag-nl
      POST
      http://rl.ammyy.com/
      6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      Remote address:
      188.42.129.148:80
      Request
      POST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: rl.ammyy.com
      Content-Length: 183
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Fri, 01 Dec 2023 16:51:56 GMT
      Server: Apache
      X-Powered-By: PHP/5.4.16
      Content-Length: 136
      Content-Type: text/html
    • 188.42.129.148:80
      http://rl.ammyy.com/
      http
      6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      547 B
       444 B
       5
      4

      HTTP Request

      POST http://rl.ammyy.com/

      HTTP Response

      200
    • 136.243.104.242:443
      https
      6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      364 B
       217 B
       7
      5
    • 8.8.8.8:53
      rl.ammyy.com
      dns
      6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20.exe
      58 B
       74 B
       1
      1

      DNS Request

      rl.ammyy.com

      DNS Response

      188.42.129.148

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      2cbb8be561d9c16a3ed0c912d65f2a1a

      SHA1

      6e42d690cedf002197263a9ca32064d97eb9127b

      SHA256

      d1f696145c72a0ba3d12302210e73215df6f77918e06e7b8d85675301648c190

      SHA512

      488b6f006253c0c246979c72bfce0b00fb6a622dfeaf4aa3ec43c0ceefaa4119558953f473109153324f7f2994239ecbd85298dcf810d47db8e5029a69f69eea

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      c406ccab2cb70d086e24454b7a5fb83c

      SHA1

      db1acc08b9767518bbf7de2ab3ab4750be094097

      SHA256

      801724a6639045a4cf12a2cca17db4008284a5b9d45963c38cf307c4babbd69d

      SHA512

      c7f29f1ab313bab9b4b617cfea5d15c1be5651ae5ad718b91cc4cab58727fb8b950c0a1d7748287b6ee81f7bcf6b5b4406e5ff278d9eef8c8a9f6a32222b3ca2

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.