Overview

overview

10

Static

static

10

AA_v3.1.exe

windows7-x64

10

AA_v3.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-03-2024 12:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.1.exe

  • Size

    717KB

  • MD5

    9561c8f7bd981a9eaac23ec6fa9a65e5

  • SHA1

    519d06745dad2be35d2de25f9739b80ea64e1fdd

  • SHA256

    0fd5789a6ff2a978eddc093ac89df7192d17fd73825042c44acc844d7aa6517e

  • SHA512

    6f263987d0d432d7b8d6080be1a5bd69d35f458ada851c301ec4162d91e14e9a6fcd20115920943ebf86ea4a64fd4c6e781ab430cc0c8eed97a5ed834686ae5b

  • SSDEEP

    12288:UKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAh9gJ:UorLkbDEhyW3XS1RtcePKUBATZxXJ

Score
10/10
flawedammyytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"
    1⤵
      PID:668
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"
        2⤵
        • Checks computer location settings
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:2188

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\hr
      Filesize

      22B

      MD5

      cda6c93ee408bae8fc5ef0019136f331

      SHA1

      fd8a76e47fa78ebe26d1dacd43a84b2eb703f3ee

      SHA256

      86b2c584d34de4b55a1530f27abfd5429fa3c87b3eae3185dff12a7af2c50524

      SHA512

      dd3aa6bbd934486b465d0e2f8413358cfd90063a88976c1f4f6ca65f37cc25a8ce457ca82e681297c91c7d40d28d276c5e1b0f8bbb397f8d50c45c91997c3498

      Download Submit

    • C:\ProgramData\AMMYY\hr3
      Filesize

      68B

      MD5

      949dff3f2f052e8041b1e388333e6186

      SHA1

      13415d1d1b04a6d7b04f80cb600a1d1968a6639c

      SHA256

      8e5f51dc679736192579f36f08c944768674093e0582b569bd89a93eae9c1ec4

      SHA512

      127235956044dca664a2dbbd214ab3e5b982940be6e145c5ae3cfdc15eaf47eaee72719991cacae7dc05742954880c1ed1a89476745c58dbba54d9a87eadb439

      Download Submit

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      269B

      MD5

      a55567fceb74f9ca4f151f4ab84b68c7

      SHA1

      63b4a57b258e640b165732dbcd0ca00fc69b4c8b

      SHA256

      f649823939d0bf2b01f5c785e55d3e278c1ee7cc11b547c6644ac9f90996e9d7

      SHA512

      3cbeb788c068008bdf2c7c19b696d464e66f66a969164cf98793e3150cf5ff82822de41deabb79921cbfcc93897ee824872c64a7bd9e131b1304105cad0f010f

      Download Submit