Analysis

  • max time kernel
    150s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-02-2024 14:14

General

  • Target

    ammyy.exe

  • Size

    726KB

  • MD5

    d22d719495f23e38805bbea5df434abb

  • SHA1

    3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf

  • SHA256

    b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20

  • SHA512

    d87670775d222b25b329377c8d26c2a4c88ce6b1aa1d6fc004b95ad93f377fd56fb03e709b4b61b26c4fcf06fe477e42afe9f9715884ea91699548b1e4d4a4c7

  • SSDEEP

    12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ammyy.exe
    "C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
    1⤵
      PID:2972
    • C:\Users\Admin\AppData\Local\Temp\ammyy.exe
      "C:\Users\Admin\AppData\Local\Temp\ammyy.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Users\Admin\AppData\Local\Temp\ammyy.exe
        "C:\Users\Admin\AppData\Local\Temp\ammyy.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      cf74b47ee1b7165a2cecf927cd66ff82

      SHA1

      0f6f1deb28e5df7830c87dec0c7d1f5a2a4fe778

      SHA256

      b5dcc903b011996f7693518b777323023cd804a5e7d9f3699fa9f584ef1f4373

      SHA512

      d5df6141910caed04fa670a84db72a8237e2057ca3856710b8f0dbba638ffae8ddc644034761abb4e17aeb4169b79cbe9712fdbc286e975285e58a47362d2850

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      24889d4883d4756c2d4e90fb76a52cea

      SHA1

      254df222ae6a0111ce2b4ccbca74f5e51e3dcea0

      SHA256

      260c0ede8f6058fe49a3c8413e633fb6fac530dd1b7b0059ee37cad85097f3b6

      SHA512

      075ae48a4d3acc445fd63c98c8a2df8018dfef73777756568be35d193c2fcdb3cad8a68f7ff38f13ce249183694c839950c02f28ec54bf97a8fa54e2e7879c54

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      271B

      MD5

      e4f7224ed356915816bebb715326d18a

      SHA1

      8b441bb4276212b9e774cba75fdbb723cb68af93

      SHA256

      74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c

      SHA512

      5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2