Overview

overview

10

Static

static

10

rh111.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    40s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    05-08-2024 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    rh111.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Score
10/10
flawedammyybootkitdiscoverypersistencetrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 13 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\rh111.exe
    "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:3204
  • C:\Users\Admin\AppData\Local\Temp\rh111.exe
    "C:\Users\Admin\AppData\Local\Temp\rh111.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:468
    • C:\Users\Admin\AppData\Local\Temp\rh111.exe
      "C:\Users\Admin\AppData\Local\Temp\rh111.exe"
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4664
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Loads dropped DLL
        PID:8

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll
    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

    Download Submit

  • C:\ProgramData\AMMYY\aa_nts.msg
    Filesize

    46B

    MD5

    76038623e270f399769df67a3ed15c16

    SHA1

    ebf7d7537f45738be48e6f64d59c846b13fb4334

    SHA256

    4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

    SHA512

    a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    334B

    MD5

    73f300a1043571094942afc17c77ccda

    SHA1

    3427fc48722a4988f507362d57bab34370601e73

    SHA256

    c3c97f5385931bf71ff6aa460b4a618acd60aa398922374fa94898951a66e6a7

    SHA512

    7d0d440866e6b9a5d4deabe9b62be1cad9b4cc43380483a1875c5d57da201efe47ce437fff369ed6903325d702c8a3ec7feca9b18f4b1aea7ba1a51ecbab2a46

    Download Submit

  • memory/8-19-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

    Download