Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 15:16
Behavioral task
behavioral1
Sample
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
Resource
win10v2004-20231127-en
General
-
Target
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe
-
Size
774KB
-
MD5
79910ca3e3418acca4fa2f2e16bac1a3
-
SHA1
e2619c3d2580aa37c579835fdd3c5efee3f22412
-
SHA256
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e
-
SHA512
0e5ae373f2c1f9c8ba03338c2b5c520c6c1b1fa6ad38bcfa52f926634e1f65fac1cbd50af96c6e4d873424c38a1dd4c985d5fdc5de12a5827c76852340bffb5a
-
SSDEEP
12288:/Xe1Z2fJipMHEgSeA6M7kmchJGvRuORtcE9qTpy+Yg0HkV+QgM:ftkmHEgSewkmchJGsORtn9qT8+Yg03FM
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exepid Process 2088 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exedescription pid Process procid_target PID 2188 wrote to memory of 2088 2188 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe 29 PID 2188 wrote to memory of 2088 2188 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe 29 PID 2188 wrote to memory of 2088 2188 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe 29 PID 2188 wrote to memory of 2088 2188 7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"1⤵PID:2492
-
C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"C:\Users\Admin\AppData\Local\Temp\7aeab9459e2a833d56e474a23ab56bc66645a89ff8ef175050d8b0bed74d090e.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2088
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD5542835956a0ff5490c297efa14b3c1d3
SHA1433d62823acc56546a2389b814067cc0771ac8dc
SHA25606d265cab42ce567749866bfbc9378f018101196cbea28cddc1ecd2e0b42fa87
SHA51234384f243c7c04a761fa24288f65ff5ea6b9115a53ddecaf9707b11b700cdd3113a06eb9c11b7c7f69771352ca81d0a014825b2b515ae88557f6dfef94bb8414