Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-04-2024 09:24
General
-
Target
AA_v3.exe
-
Size
762KB
-
MD5
e9b569f7cbf23d91df065c18f4c43840
-
SHA1
5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad
-
SHA256
d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
-
SHA512
a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb
-
SSDEEP
12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies data under HKEY_USERS 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD5bcc40b676c5b0f5a176be92cc8f4199f
SHA15415364e6ab90151eb1272268cb75ef6c4306a2f
SHA256d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826
SHA512467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d