Overview

overview

10

Static

static

10

AA_v3.exe

windows10-1703-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    04-03-2024 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score
10/10
flawedammyybootkitpersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 13 IoCs
  • Modifies data under HKEY_USERS 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    PID:2132
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4604
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2264

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.log
    Filesize

    4KB

    MD5

    2afb5ab216b55c2be74bffee33a9454d

    SHA1

    8603f5bcaffa01d78d2fde0d6b0d9e4acb0bd1a6

    SHA256

    245dc57203604b596580faeb3050fe7799fccec8aee7020e9e2364d1783b11b9

    SHA512

    21328e33f131c58de13a1312fabe343234ea3f0156e6995b7232043dc8a3fd6bd7eb4f6e29f3213f76fced61ab3a3ccc47449771b12a3fb9c702a3c00c9ecfa9

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.msg
    Filesize

    46B

    MD5

    3f05819f995b4dafa1b5d55ce8d1f411

    SHA1

    404449b79a16bfc4f64f2fd55cd73d5d27a85d71

    SHA256

    7e0bf0cbd06a087500a9c3b50254df3a8a2c2980921ab6a62ab1121941c80fc0

    SHA512

    34abb7df8b3a68e1649ff0d2762576a4d4e65da548e74b1aa65c2b82c1b89f90d053ecddac67c614ca6084dc5b2cb552949250fb70f49b536f1bcb0057717026

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    327B

    MD5

    0d137b31eea735cfa48cfbac8011e647

    SHA1

    fd6ef68874fc25e5f76fcdb9afd5147c6d3cf19f

    SHA256

    fa16ecae205c55cbb5f3039b1a64f689fd0596d93d9836c0915ff6e10aa1afac

    SHA512

    0d75027e6cf10ed758c9b8c989b8756d00099164eeb7bf39deec9c15947d03dabea5c58bdaef37f0daa31daeebbf92dced04d2066044c52b587f2f301a45d3a4

    Download Submit

  • memory/2264-19-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-44-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-61-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-76-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-91-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-107-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-120-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download

  • memory/2264-136-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download