Overview

overview

10

Static

static

10

AlphaZackCosmos.exe

windows7-x64

10

AlphaZackCosmos.exe

windows10-2004-x64

10

Resubmissions

06-02-2024 19:04

240206-xq7xtafdfn 10

02-04-2023 09:53

230402-lw48bsha6t 10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2024 19:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AlphaZackCosmos.exe

  • Size

    751KB

  • MD5

    4d853025b8cd8c725bf78e3df6cce967

  • SHA1

    c6bff7857fdf33cbd8f052ef5d669675e5cf06f8

  • SHA256

    4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8

  • SHA512

    977e43eaa763cc66114e00a615818c66a84a5a47bac1cdf21eff9f8f1dcebf138d8ede823265a2f30807d648c57bf036818254964358691d3f9a013f930705cf

  • SSDEEP

    12288:Tc0dZib4t9uOroAgUHvCUt4RtlTc+YNKpQsNvVd1gF:Tc/UtwOrZgUHv54Rt6+YNkQsNmF

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
    "C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
    1⤵
      PID:4832
    • C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
      "C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
      1⤵
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4848
    • C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
      "C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:4016

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      c3e4fb7d583e696958980684e7b944fc

      SHA1

      dcbb480ad3bd17ce5ffb1fb3a9c238ed6d37049d

      SHA256

      2a98d70b626bdb2161a08345e27948c703b8f970827228566f6aa9881c48f3b0

      SHA512

      7eec0a7737308441cb3ea9c84fdaf82658225e6957e5f227288e1b81f12987ee09277eb5021dc7fec1040ad73d476b3b3a5ef48f52346c54a5f3f4f1e6ffd85d

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      f6b1e8736572b3e014bf7f7e551ab7c1

      SHA1

      8b09719b80bcf6497f9861270831a166c427963e

      SHA256

      7d95cc4b68372a65d92f749bdf143ba7f4526a4cafa1204e86c906a5805d4143

      SHA512

      a533474c32a6c998273dda393dd34e6604604a9699f9fb32217ca84e272f6f17837a37a73d778022fe3b78cdabd5f25d9d7c602cc5b7b5e4eb468362862c716f

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      271B

      MD5

      714f2508d4227f74b6adacfef73815d8

      SHA1

      a35c8a796e4453c0c09d011284b806d25bdad04c

      SHA256

      a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

      SHA512

      1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

      Download Submit