Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
04-08-2024 17:05
Behavioral task
behavioral1
Sample
f4d11e1d59d067e850a910d0100fa0f0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
f4d11e1d59d067e850a910d0100fa0f0N.exe
Resource
win10v2004-20240802-en
General
-
Target
f4d11e1d59d067e850a910d0100fa0f0N.exe
-
Size
772KB
-
MD5
f4d11e1d59d067e850a910d0100fa0f0
-
SHA1
d75243d473ef0aea05d1d49d9fe0679f16ccf218
-
SHA256
fc88110016788b8ee65c2c29c6e9fe77132719c0c4d5e0a9a4e2f97bc5f2c0f2
-
SHA512
a688af0d16856ce4e030af714fb61d60fa4f893df97895cd0807e29050d5fb128beb6e7b3a66a83f0405800435c31dfe3023da695ea487c4b82b022ddb2b20fe
-
SSDEEP
12288:LSX+EvrCA3FNIs34Zk1L1ZSNlm3Spsal6lbRtMuStGKcsCSqcl90VasgWP:kFNN4Zk1LTclm3e1kbRtyGKcpHcl5hWP
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
f4d11e1d59d067e850a910d0100fa0f0N.exef4d11e1d59d067e850a910d0100fa0f0N.exef4d11e1d59d067e850a910d0100fa0f0N.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4d11e1d59d067e850a910d0100fa0f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4d11e1d59d067e850a910d0100fa0f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f4d11e1d59d067e850a910d0100fa0f0N.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
f4d11e1d59d067e850a910d0100fa0f0N.exepid process 1340 f4d11e1d59d067e850a910d0100fa0f0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
f4d11e1d59d067e850a910d0100fa0f0N.exedescription pid process target process PID 756 wrote to memory of 1340 756 f4d11e1d59d067e850a910d0100fa0f0N.exe f4d11e1d59d067e850a910d0100fa0f0N.exe PID 756 wrote to memory of 1340 756 f4d11e1d59d067e850a910d0100fa0f0N.exe f4d11e1d59d067e850a910d0100fa0f0N.exe PID 756 wrote to memory of 1340 756 f4d11e1d59d067e850a910d0100fa0f0N.exe f4d11e1d59d067e850a910d0100fa0f0N.exe PID 756 wrote to memory of 1340 756 f4d11e1d59d067e850a910d0100fa0f0N.exe f4d11e1d59d067e850a910d0100fa0f0N.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2424
-
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:1340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD51aac7af5fbaf2605446a73cdd2b760f3
SHA1e6951d61057eaeafb6a45ee4d0f12671da429669
SHA256ffa108caefd070fd6a4afc9a30eeb754a671df5a2e7b0285fc511a2ce824ba1e
SHA512f83414633a3032dc6929f0c5dee1cd7c2f5a9c32f5669eaed8788cc7cee5ab25aeb18d366d21f09544beaedcb8ab26690dc6dd2904a42ec15608c79401c77e19