Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

4f648c95b8...f8.exe

windows7-x64

10

4f648c95b8...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2023, 01:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe

  • Size

    751KB

  • MD5

    4d853025b8cd8c725bf78e3df6cce967

  • SHA1

    c6bff7857fdf33cbd8f052ef5d669675e5cf06f8

  • SHA256

    4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8

  • SHA512

    977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf

  • SSDEEP

    12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
    "C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
    1⤵
      PID:2952
    • C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      "C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:3040
      • C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
        "C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2752

    Network

    • flag-us
      DNS
      rl.ammyy.com
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      Remote address:
      8.8.8.8:53
      Request
      rl.ammyy.com
      IN A
      Response
      rl.ammyy.com
      IN A
      188.42.129.148
    • flag-us
      DNS
      rl.ammyy.com
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      Remote address:
      8.8.8.8:53
      Request
      rl.ammyy.com
      IN A
    • flag-nl
      POST
      http://rl.ammyy.com/
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      Remote address:
      188.42.129.148:80
      Request
      POST / HTTP/1.1
      Content-Type: application/x-www-form-urlencoded
      Host: rl.ammyy.com
      Content-Length: 183
      Cache-Control: no-cache
      Response
      HTTP/1.1 200 OK
      Date: Sun, 31 Dec 2023 01:26:22 GMT
      Server: Apache
      X-Powered-By: PHP/5.4.16
      Content-Length: 136
      Content-Type: text/html
    • 188.42.129.148:80
      http://rl.ammyy.com/
      http
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      731 B
       452 B
       9
      4

      HTTP Request

      POST http://rl.ammyy.com/

      HTTP Response

      200
    • 136.243.104.242:443
      https
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      480 B
       216 B
       9
      5
    • 8.8.8.8:53
      rl.ammyy.com
      dns
      4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
      116 B
       74 B
       2
      1

      DNS Request

      rl.ammyy.com

      DNS Request

      rl.ammyy.com

      DNS Response

      188.42.129.148

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      cd98df7a847f3c0581989b38de204ef5

      SHA1

      d4971f2303795f61323f4c24b9839234de2a45ac

      SHA256

      cdc2f156f9de4b325cfec6dbaad7a2d23078c7be1bea5d45880ba6a8e794f4dc

      SHA512

      7cf67edf3a233714b75fff91033eb5688ed6e817ce4846c659df0dd5ccf1e9374238f402dd8b73a3406fe2383e73e471acd538b8dad243803d476a58a0b6866e

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.