Analysis
-
max time kernel
100s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 10:28
Behavioral task
behavioral1
Sample
AA/AA.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
AA/AA.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
AA/AA_v3.9.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
AA/AA_v3.9.exe
Resource
win10v2004-20240802-en
General
-
Target
AA/AA.exe
-
Size
772KB
-
MD5
94bdeb3679552811166a849a5c01805b
-
SHA1
28a4b0150221b77375a786a93bcd0a033567886d
-
SHA256
ba877be92e535b9dce7f15f7bb5ac0a67e93c7ddd557949e6ec89a73741aca41
-
SHA512
259ad3291f62456e37f3ffd57131a701672be21b3f9010f68e53714e1ea9dfa6190ec08af143f32d96e3cdc8c5018335ddbad3d13bc8655839817b304a7afc8d
-
SSDEEP
12288:HSX+EvrCA3FNIs34Zk1L1ZSNlm3Spsal6lbRtMuStGKcsCSqcl90VahgAV:QFNN4Zk1LTclm3e1kbRtyGKcpHcl5iAV
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2556 AA.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1976 wrote to memory of 2556 1976 AA.exe 31 PID 1976 wrote to memory of 2556 1976 AA.exe 31 PID 1976 wrote to memory of 2556 1976 AA.exe 31 PID 1976 wrote to memory of 2556 1976 AA.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA\AA.exe"C:\Users\Admin\AppData\Local\Temp\AA\AA.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1720
-
C:\Users\Admin\AppData\Local\Temp\AA\AA.exe"C:\Users\Admin\AppData\Local\Temp\AA\AA.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\AppData\Local\Temp\AA\AA.exe"C:\Users\Admin\AppData\Local\Temp\AA\AA.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390B
MD5f3e0483a8464f992bb730a42ff646e98
SHA12cf672c1cc8c35a022e4a9c0a0aff871cd85d6ed
SHA2562cf414995b143d509e309d4845b0bf87e86bf9b6fbfd3cda3943e3d53d5aa6b3
SHA5127ea33e0a811451e81034aee8d8e6094ccb54e02231626389d8a8121afa0240f1db3ea8b06cf768238abf4f7d77d46f9a1ae0ba826a1933dd6f5971c6103940ce