Analysis

  • max time kernel
    150s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-03-2024 12:12

General

  • Target

    AA_v3.1.exe

  • Size

    717KB

  • MD5

    9561c8f7bd981a9eaac23ec6fa9a65e5

  • SHA1

    519d06745dad2be35d2de25f9739b80ea64e1fdd

  • SHA256

    0fd5789a6ff2a978eddc093ac89df7192d17fd73825042c44acc844d7aa6517e

  • SHA512

    6f263987d0d432d7b8d6080be1a5bd69d35f458ada851c301ec4162d91e14e9a6fcd20115920943ebf86ea4a64fd4c6e781ab430cc0c8eed97a5ed834686ae5b

  • SSDEEP

    12288:UKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAh9gJ:UorLkbDEhyW3XS1RtcePKUBATZxXJ

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"
    1⤵
      PID:1196
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2172

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr

      Filesize

      22B

      MD5

      279e8ec1049ce24a21d90b48cafcba1b

      SHA1

      061f84b03c0082308c8110d34a10c4701ea40034

      SHA256

      6c3c94876ff325c8c109398bd844bba3e98bfdc97c2631bd84245b8f8980b0ab

      SHA512

      b85e2cc3a7d66a5027fb1b829a14da7c25e396b35be1eb0490e932998be559fa29e836b4f2c4c64f639d92748511b525a5cf6860ecfd8b7ef9742f72de428864

    • C:\ProgramData\AMMYY\hr3

      Filesize

      68B

      MD5

      74fcda22f300a5a20ed611c8c7b5dcf8

      SHA1

      80ca3ee39917585318f289a095f76d7953f90355

      SHA256

      ec78bdb63d6cd6961b360c75a19fe538a05b04b43916456daa49c89b8248c7fa

      SHA512

      5f17d51a5e52d2824bf807042be06256eafd05710734524dac049f04ef200094648e1e36477328f05522bae6631a97a26e5346b376703f52c0b84984949815ac

    • C:\ProgramData\AMMYY\settings3.bin

      Filesize

      269B

      MD5

      a55567fceb74f9ca4f151f4ab84b68c7

      SHA1

      63b4a57b258e640b165732dbcd0ca00fc69b4c8b

      SHA256

      f649823939d0bf2b01f5c785e55d3e278c1ee7cc11b547c6644ac9f90996e9d7

      SHA512

      3cbeb788c068008bdf2c7c19b696d464e66f66a969164cf98793e3150cf5ff82822de41deabb79921cbfcc93897ee824872c64a7bd9e131b1304105cad0f010f