Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-02-2024 14:14
Behavioral task
behavioral1
Sample
ammyy.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ammyy.exe
Resource
win10v2004-20240221-en
General
-
Target
ammyy.exe
-
Size
726KB
-
MD5
d22d719495f23e38805bbea5df434abb
-
SHA1
3cfeeb974e65c0ba671d81459d2c6b694d5d4eaf
-
SHA256
b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20
-
SHA512
d87670775d222b25b329377c8d26c2a4c88ce6b1aa1d6fc004b95ad93f377fd56fb03e709b4b61b26c4fcf06fe477e42afe9f9715884ea91699548b1e4d4a4c7
-
SSDEEP
12288:ozJUxbtiiTHRJuEkQO7EwC2ZwFRtAdRXRryd+sq1zsgp:o9oNTHRz/O7rT6FRteRXR2IsqXp
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ammyy.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Control Panel\International\Geo\Nation ammyy.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
ammyy.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f757cd16f637b26b ammyy.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9810b6584be139e9b6a7a67c0b513d113d1856aaad5ab22052cfe2bb7672c1bd45bd6fff51d9a334eecbd0c81e0afb7b1140873a5ed2c0251e7ffdd10946a127602e3956 ammyy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ammyy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin ammyy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE ammyy.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy ammyy.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
ammyy.exepid process 2736 ammyy.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
ammyy.exepid process 2736 ammyy.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ammyy.exedescription pid process target process PID 1084 wrote to memory of 2736 1084 ammyy.exe ammyy.exe PID 1084 wrote to memory of 2736 1084 ammyy.exe ammyy.exe PID 1084 wrote to memory of 2736 1084 ammyy.exe ammyy.exe PID 1084 wrote to memory of 2736 1084 ammyy.exe ammyy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ammyy.exe"C:\Users\Admin\AppData\Local\Temp\ammyy.exe"1⤵PID:2972
-
C:\Users\Admin\AppData\Local\Temp\ammyy.exe"C:\Users\Admin\AppData\Local\Temp\ammyy.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\AppData\Local\Temp\ammyy.exe"C:\Users\Admin\AppData\Local\Temp\ammyy.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5cf74b47ee1b7165a2cecf927cd66ff82
SHA10f6f1deb28e5df7830c87dec0c7d1f5a2a4fe778
SHA256b5dcc903b011996f7693518b777323023cd804a5e7d9f3699fa9f584ef1f4373
SHA512d5df6141910caed04fa670a84db72a8237e2057ca3856710b8f0dbba638ffae8ddc644034761abb4e17aeb4169b79cbe9712fdbc286e975285e58a47362d2850
-
Filesize
68B
MD524889d4883d4756c2d4e90fb76a52cea
SHA1254df222ae6a0111ce2b4ccbca74f5e51e3dcea0
SHA256260c0ede8f6058fe49a3c8413e633fb6fac530dd1b7b0059ee37cad85097f3b6
SHA512075ae48a4d3acc445fd63c98c8a2df8018dfef73777756568be35d193c2fcdb3cad8a68f7ff38f13ce249183694c839950c02f28ec54bf97a8fa54e2e7879c54
-
Filesize
271B
MD5e4f7224ed356915816bebb715326d18a
SHA18b441bb4276212b9e774cba75fdbb723cb68af93
SHA25674378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA5125a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2