Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-08-2024 17:05

General

  • Target

    f4d11e1d59d067e850a910d0100fa0f0N.exe

  • Size

    772KB

  • MD5

    f4d11e1d59d067e850a910d0100fa0f0

  • SHA1

    d75243d473ef0aea05d1d49d9fe0679f16ccf218

  • SHA256

    fc88110016788b8ee65c2c29c6e9fe77132719c0c4d5e0a9a4e2f97bc5f2c0f2

  • SHA512

    a688af0d16856ce4e030af714fb61d60fa4f893df97895cd0807e29050d5fb128beb6e7b3a66a83f0405800435c31dfe3023da695ea487c4b82b022ddb2b20fe

  • SSDEEP

    12288:LSX+EvrCA3FNIs34Zk1L1ZSNlm3Spsal6lbRtMuStGKcsCSqcl90VasgWP:kFNN4Zk1LTclm3e1kbRtyGKcpHcl5hWP

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2424
  • C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
    "C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe
      "C:\Users\Admin\AppData\Local\Temp\f4d11e1d59d067e850a910d0100fa0f0N.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:1340

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    342B

    MD5

    1aac7af5fbaf2605446a73cdd2b760f3

    SHA1

    e6951d61057eaeafb6a45ee4d0f12671da429669

    SHA256

    ffa108caefd070fd6a4afc9a30eeb754a671df5a2e7b0285fc511a2ce824ba1e

    SHA512

    f83414633a3032dc6929f0c5dee1cd7c2f5a9c32f5669eaed8788cc7cee5ab25aeb18d366d21f09544beaedcb8ab26690dc6dd2904a42ec15608c79401c77e19