Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17-01-2024 23:44

General

  • Target

    63eca9e1e77387ebc1c27a4e3d344627.exe

  • Size

    760KB

  • MD5

    63eca9e1e77387ebc1c27a4e3d344627

  • SHA1

    2a30bc7b48ea9e44660b5dba39f4ac46569bb82b

  • SHA256

    76c9b7ac8063195b53cfb6e70c4c4f5c9fc30ba94afb7be2a208e40044dde51a

  • SHA512

    ca198d8f147839e53235e284466c11ff3688e7fe37d6187d6c5bebf4e8ba2e00866eebb8c172f6b32a9bddb3f4b7d08825c88a42e7a820be84009a1101f435cd

  • SSDEEP

    12288:Hgby1pKmZmjrWinaxABtyZPyoOOORtfWV5gk3VP0nkVgrg1N:4y1pVmjrWivBtyZPy2ORt+V5ggVP0t0T

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
    "C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"
    1⤵
      PID:2152
    • C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
      "C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe
        "C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"
        2⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2668

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      318B

      MD5

      b10c424fb33160b519e3c42176b6dc36

      SHA1

      dfc2963a4c3bc7ddf39e0f0725d4ec0f2937d095

      SHA256

      076c38cd5c332e4aca406a106bfdd7e9327e6efcbf86758b975e28a312526cb9

      SHA512

      bd64c5c9fe36e90f39990b1f06d267eaf3c874a4ebf2485f36514cdc67827e69d6aa914a70f4c4c6ff765d3f2f9b197b3267df1653da3086b8bdb3fffde7a300