Analysis
-
max time kernel
31s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
01-01-2024 09:57
Behavioral task
behavioral1
Sample
Ammyy Admin Corporate v3.5.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
Ammyy Admin Corporate v3.5.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral3
Sample
sainetco.ir.url
Resource
win7-20231129-en
Behavioral task
behavioral4
Sample
sainetco.ir.url
Resource
win10v2004-20231215-en
General
-
Target
Ammyy Admin Corporate v3.5.exe
-
Size
746KB
-
MD5
2fcbad97d4443200c6d103b7474466f0
-
SHA1
a94db856006bbf526d57217ff4d4b2f73ee53f7c
-
SHA256
4ce31888140938c0409b7bd9bd46914232fc2d490181eb8ceb74941056a2b765
-
SHA512
56c093e09ecab1e9a99b99638591fdd4824ce84e68e7daddc228d1e479a8d51304ed8d72b511cdb4ec74292d0a0bb42ff02761001f0296503aca7c0e66565516
-
SSDEEP
12288:PUYiJqMH2OwlaUPcWWwTXZV8f64RteVpN5ETMasTjcP6gX:ziJJWOwlaUPcWWwDZb4Rt+N5WMasHoX
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Ammyy Admin Corporate v3.5.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Control Panel\International\Geo\Nation Ammyy Admin Corporate v3.5.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
Ammyy Admin Corporate v3.5.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE Ammyy Admin Corporate v3.5.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy Ammyy Admin Corporate v3.5.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595377278419141fb26b Ammyy Admin Corporate v3.5.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bbf5158798f45477d9530eeb722708e7dc605d8348f36aca1aacde0e22945b371ec1dfa7a1d6afba9a9040d6623eaba642c3a75124ee162356548876b8781d0b2ddb611e Ammyy Admin Corporate v3.5.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Ammyy Admin Corporate v3.5.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin Ammyy Admin Corporate v3.5.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Ammyy Admin Corporate v3.5.exepid Process 2400 Ammyy Admin Corporate v3.5.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
Ammyy Admin Corporate v3.5.exepid Process 2400 Ammyy Admin Corporate v3.5.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Ammyy Admin Corporate v3.5.exedescription pid Process procid_target PID 2212 wrote to memory of 2400 2212 Ammyy Admin Corporate v3.5.exe 17 PID 2212 wrote to memory of 2400 2212 Ammyy Admin Corporate v3.5.exe 17 PID 2212 wrote to memory of 2400 2212 Ammyy Admin Corporate v3.5.exe 17 PID 2212 wrote to memory of 2400 2212 Ammyy Admin Corporate v3.5.exe 17
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"1⤵PID:3028
-
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"1⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2400
-
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin Corporate v3.5.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5c4364061067ea5a9d191be44d304d233
SHA111ee662e02e9cec88acbce425535231685cfe87a
SHA256b964a55d1270ed858886e8cae9b4e4ebbf75645c5c19e036f683152fd3254a13
SHA51218dacc37a09d47311182a7c7c7df6ac9b8bfb9b146564a07b1de2149f8bfab7dffe521e02611bac7871b7e45167eab615e373268abeb392da12c9f221775192b
-
Filesize
68B
MD57e8e2cf7bc727f1b9c28824fe8a60efe
SHA1bf968acc15f308b00b418e18efa20c80abf5bc6c
SHA256558e42e66710aead62c3c71889eea312c208a47d28190435696245dc9a6a99bd
SHA512e8905dd8ed1521b67e29fab6ec12fb691652669074d0c16541f4284739b8d97b320910a7b1a847c8b4c4f2582f002f4d45b99db9cb04f8826d7aa1f9107554d5
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e