Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
17-01-2024 23:44
Behavioral task
behavioral1
Sample
63eca9e1e77387ebc1c27a4e3d344627.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
63eca9e1e77387ebc1c27a4e3d344627.exe
Resource
win10v2004-20231215-en
General
-
Target
63eca9e1e77387ebc1c27a4e3d344627.exe
-
Size
760KB
-
MD5
63eca9e1e77387ebc1c27a4e3d344627
-
SHA1
2a30bc7b48ea9e44660b5dba39f4ac46569bb82b
-
SHA256
76c9b7ac8063195b53cfb6e70c4c4f5c9fc30ba94afb7be2a208e40044dde51a
-
SHA512
ca198d8f147839e53235e284466c11ff3688e7fe37d6187d6c5bebf4e8ba2e00866eebb8c172f6b32a9bddb3f4b7d08825c88a42e7a820be84009a1101f435cd
-
SSDEEP
12288:Hgby1pKmZmjrWinaxABtyZPyoOOORtfWV5gk3VP0nkVgrg1N:4y1pVmjrWivBtyZPy2ORt+V5ggVP0t0T
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
63eca9e1e77387ebc1c27a4e3d344627.exepid process 2668 63eca9e1e77387ebc1c27a4e3d344627.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
63eca9e1e77387ebc1c27a4e3d344627.exedescription pid process target process PID 1532 wrote to memory of 2668 1532 63eca9e1e77387ebc1c27a4e3d344627.exe 63eca9e1e77387ebc1c27a4e3d344627.exe PID 1532 wrote to memory of 2668 1532 63eca9e1e77387ebc1c27a4e3d344627.exe 63eca9e1e77387ebc1c27a4e3d344627.exe PID 1532 wrote to memory of 2668 1532 63eca9e1e77387ebc1c27a4e3d344627.exe 63eca9e1e77387ebc1c27a4e3d344627.exe PID 1532 wrote to memory of 2668 1532 63eca9e1e77387ebc1c27a4e3d344627.exe 63eca9e1e77387ebc1c27a4e3d344627.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"1⤵PID:2152
-
C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"C:\Users\Admin\AppData\Local\Temp\63eca9e1e77387ebc1c27a4e3d344627.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2668
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318B
MD5b10c424fb33160b519e3c42176b6dc36
SHA1dfc2963a4c3bc7ddf39e0f0725d4ec0f2937d095
SHA256076c38cd5c332e4aca406a106bfdd7e9327e6efcbf86758b975e28a312526cb9
SHA512bd64c5c9fe36e90f39990b1f06d267eaf3c874a4ebf2485f36514cdc67827e69d6aa914a70f4c4c6ff765d3f2f9b197b3267df1653da3086b8bdb3fffde7a300