Overview

overview

10

Static

static

10

rh111.exe

windows7-x64

10

rh111.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    05-08-2024 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rh111.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score
10/10
flawedammyybootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rh111.exe
    "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:2724
  • C:\Users\Admin\AppData\Local\Temp\rh111.exe
    "C:\Users\Admin\AppData\Local\Temp\rh111.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2768
    • C:\Users\Admin\AppData\Local\Temp\rh111.exe
      "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: GetForegroundWindowSpam
      PID:2800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    327B

    MD5

    006d1c6da8e538cc9ffe408d951a6584

    SHA1

    40968b80fe53fa2909bf290e846efdebdb3fa04a

    SHA256

    9944f7617e1d4dedaddd29b0a4aeb024752c4db24ca0f6ac34d405a5c01fea85

    SHA512

    ee994df50cc57840a3b27ad8c4bd2d8311a3274b87733b14f2390e8af93be61496f14e601331e6d14020f2cdb8195935d2629add2320cda833c725407cbdaae0

    Download Submit