Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-09-2024 02:13

General

  • Target

    AA_v3.exe

  • Size

    755KB

  • MD5

    11bc606269a161555431bacf37f7c1e4

  • SHA1

    63c52b0ac68ab7464e2cd777442a5807db9b5383

  • SHA256

    1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

  • SHA512

    0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

  • SSDEEP

    12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2708
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr

    Filesize

    22B

    MD5

    f87a823e0b89ee47ba7c55311181c528

    SHA1

    f41e8fd1ae3c7aa693d65682993617d91662d664

    SHA256

    1c19ef43a0f60d50c4ee5d7feeb1e81a58e55a5a9575c566c33886e648e74967

    SHA512

    f974851206adb40ffe13710c6c4ac4360dad21f97a7ad0f17fbfab683ddb3779cbb17b288ff460e567510cfb3ff47e6463bbefa99e7995e7f08ba7143165f116

  • C:\ProgramData\AMMYY\hr3

    Filesize

    75B

    MD5

    5f5e6f655d164781a48714c117244c26

    SHA1

    690f07212bafb7ed11b3c65a61014094014b1b29

    SHA256

    b397503d4df31f3f6392213f84b54a2c0eaf5d9b1fcc471e4e6539636c3fba3d

    SHA512

    fda21c391bfd5351bc7f3ec66b6811c19fe2709b6c6f6cecfe32c2c73f978a205651f1f15a6f87f2505d122a0df5f2d64da482b267467bf68f46eefd8386be39

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    271B

    MD5

    714f2508d4227f74b6adacfef73815d8

    SHA1

    a35c8a796e4453c0c09d011284b806d25bdad04c

    SHA256

    a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

    SHA512

    1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8