Overview

overview

10

Static

static

10

18966a28fb...66.exe

windows7-x64

10

18966a28fb...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    202s
  • max time network
    194s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 10:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18966a28fba7a616962f90694009a466.exe

  • Size

    708KB

  • MD5

    18966a28fba7a616962f90694009a466

  • SHA1

    4f7ac1f55f093bf3c7dc0fb6971a6da701793a56

  • SHA256

    847a62b88f8e17d9face6fac84037a125f66c4db0f1cdbf464305f053578d37b

  • SHA512

    3a0073e82cdf16bb3accb1512f2bfb5da15ab9f12eeb0616fedfbed2a877fcf52be91017523ab121549e3b0a2501974137c0d88c2c56472f6adf45f0a021b8bd

  • SSDEEP

    12288:yVr29UGEg6VUM5oAL1jq3E2jj0NOjAqHKtCessZWjya7VM1en9Nm1RtNeCVao2Vy:oUbj4qwCessA41Rt0CVMVZtxI

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
    "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
    1⤵
      PID:2536
    • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
      "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe
        "C:\Users\Admin\AppData\Local\Temp\18966a28fba7a616962f90694009a466.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2856

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      ae06f6f2545b1c4d548a37e36b5ccb0c

      SHA1

      d5195097cdaf1ff224ec5584f97d0657ab391269

      SHA256

      b3a38a0c13ff1d52e7414b3ffa50895af546f19b525c120a197bad0bef91c09e

      SHA512

      b3158d219e76a5e0395560b2e66da13485c320024fb14268ca7bafe40e3134a2d20f3c03e75f95cbfa58433c558015585d3d803e91dbfa2a4a26f93a7922ab5b

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      bba80532b1280b56fcfe8ca650fd425f

      SHA1

      3a11351cfc56f596cf9ff24f18014013057d5df4

      SHA256

      0479d7e8c2de5741c1c8cc6634c43946c2ccf6cb8b36a1cc4c4dc60edef8dd39

      SHA512

      80c6293520c5023d5fec7e74152cb37992e31b67772a1d4df96b1f51fcfc904f8ac88d7c15f53daf48b01c844a044202216278f2e389876ef0173691b9b5da27

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      281B

      MD5

      0ab37e79601368085b4631f7a9c5597f

      SHA1

      7144ec339f1a518775a4719f3c1b5b2572775c1f

      SHA256

      142eee7e8791e4bd6f1e6bddacab55563c33069db8a977ea4416479ea5c1b565

      SHA512

      7cec54972600f22f4024a90b145114fb5b6f2f1e20882495d36b0dd1a4f4174a11eacb4dda66d457b7193bdc328f8bf909b6e73cd9e0c3bfd46cb8018b926a55

      Download Submit