Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    12-09-2024 16:19

General

  • Target

    AA_v3.exe

  • Size

    782KB

  • MD5

    390ddaff20160396e7490b239b4cad9b

  • SHA1

    44c10c691fc2639b3436abe8dc25542ff5a73067

  • SHA256

    357230056c30b4d7a7d697114d3d90ddc9a13dcb174a9a6d1f74c950e5bcd570

  • SHA512

    fd9d519d5e0f3c7d5ac55d594ef23eff6b96e45efe582b8f2fb88c657d76dd4966de73faf4dcea02913940a46c2aa9a6cec8748bcdfb43530e0b3228f8eb833b

  • SSDEEP

    12288:bWJDVSwZtyHFaMhY1SPEKH0OERt4PMsajW0pSEV3fugE:q7FZtoFaiY1SsKpERtMMRy0ptf7E

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2272
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2668
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2716
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Loads dropped DLL
        PID:108

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll

    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

  • C:\ProgramData\AMMYY\aa_nts.msg

    Filesize

    45B

    MD5

    0fc5a1d86d595cb0eaec0baec6fdd759

    SHA1

    99293a9060d65c497370960658b29b612356bb43

    SHA256

    237d9c394b0c54f24694cf50ac954ec45dac7254a7556c628da9260eba7f8693

    SHA512

    8ca3735983472b8aa8752d967bde5fc5f68bc32420b145e337e5e85658637c83b16c401067d1bd9a7e3e9cc4f987e2dad9534cc0a9e433eb64e8dc8b53833169

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    282B

    MD5

    ac7221c691ef0a93dbbb5bee6efcb7ec

    SHA1

    54f197fef16badefb4bf0d7339f6bd1099e505da

    SHA256

    b6b033b71d3f7f92986e32a61b3244b9856e82a9c3d233696a0dfa29a517106f

    SHA512

    226299ab1b7b388473163f4fecc41d536755586b4c275475128c5e5946554cd9ca69df223469130d85516f2ac2330a2cb35dec2879355ea0186b63d8429dcd6b

  • memory/108-20-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB