Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2023 23:13

General

  • Target

    18966a28fba7a616962f90694009a466.exe

  • Size

    708KB

  • MD5

    18966a28fba7a616962f90694009a466

  • SHA1

    4f7ac1f55f093bf3c7dc0fb6971a6da701793a56

  • SHA256

    847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

  • SHA512

    3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd

  • SSDEEP

    12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
    "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
    1⤵
      PID:4560
    • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
      "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2280
      • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
        "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1336

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      74815f2583a01dd553c3069e2c9ca16b

      SHA1

      efe5917d4beae084419d0af0e2c92c82ac20b13b

      SHA256

      9af3723ecc9e7a954c973201a0f056029d62b8318f27ed4eaa10966da354603b

      SHA512

      40d56c7fcd9c1eaf3c228df9b79a83fb6a5a8e066f48a3c3c11e71f496d32b6f8fc08f9c25e36439c93d891b17911d9cba67e52d1d4d81da0533aa0260fa235d

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      93c105c12c965d01a26c9e0cbd3b2727

      SHA1

      42f714404d61e52eed232f510efa4474bb13961a

      SHA256

      87da020507295b9fa549be759a57d911ba56385451452cdf62b42f2e8635a836

      SHA512

      c686ed128171069460890b7f28a4e26ea2f63a62c1e4f6cde054a4e24dbdaa1c67145ef9606f0eb6484e377d47911f3ba14381ea2377edfc374c0d6663161d26

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      281B

      MD5

      0ab37e79601368085b4631f7a9c5597f

      SHA1

      7144ec339f1a518775a4719f3c1b5b2572775c1f

      SHA256

      142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

      SHA512

      7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55