Analysis

  • max time kernel
    31s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    01-01-2024 09:57

General

  • Target

    Ammyy Admin Corporate v3.5.exe

  • Size

    746KB

  • MD5

    2fcbad97d4443200c6d103b7474466f0

  • SHA1

    a94db856006bbf526d57217ff4d4b2f73ee53f7c

  • SHA256

    4ce31888140938c0409b7bd9bd46914232fc2d490181eb8ceb74941056a2b765

  • SHA512

    56c093e09ecab1e9a99b99638591fdd4824ce84e68e7daddc228d1e479a8d51304ed8d72b511cdb4ec74292d0a0bb42ff02761001f0296503aca7c0e66565516

  • SSDEEP

    12288:PUYiJqMH2OwlaUPcWWwTXZV8f64RteVpN5ETMasTjcP6gX:ziJJWOwlaUPcWWwDZb4Rt+N5WMasHoX

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
    1⤵
      PID:3028
    • C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"
      1⤵
      • Checks computer location settings
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2400
    • C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2212

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      c4364061067ea5a9d191be44d304d233

      SHA1

      11ee662e02e9cec88acbce425535231685cfe87a

      SHA256

      b964a55d1270ed858886e8cae9b4e4ebbf75645c5c19e036f683152fd3254a13

      SHA512

      18dacc37a09d47311182a7c7c7df6ac9b8bfb9b146564a07b1de2149f8bfab7dffe521e02611bac7871b7e45167eab615e373268abeb392da12c9f221775192b

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      7e8e2cf7bc727f1b9c28824fe8a60efe

      SHA1

      bf968acc15f308b00b418e18efa20c80abf5bc6c

      SHA256

      558e42e66710aead62c3c71889eea312c208a47d28190435696245dc9a6a99bd

      SHA512

      e8905dd8ed1521b67e29fab6ec12fb691652669074d0c16541f4284739b8d97b320910a7b1a847c8b4c4f2582f002f4d45b99db9cb04f8826d7aa1f9107554d5

    • C:\ProgramData\AMMYY\settings3.bin

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e