Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2024 02:13

General

  • Target

    AA_v3.exe

  • Size

    755KB

  • MD5

    11bc606269a161555431bacf37f7c1e4

  • SHA1

    63c52b0ac68ab7464e2cd777442a5807db9b5383

  • SHA256

    1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

  • SHA512

    0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

  • SSDEEP

    12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:232
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2148

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr

    Filesize

    22B

    MD5

    172a19a29b92d08d82593a2c31cedf35

    SHA1

    2c02568bffb9c15d4050b783533099c56ab7403f

    SHA256

    877160dd2f787a48bfe5b888806160bcc9331cc18ac1fa821191d28ae4f2e529

    SHA512

    9f47d8308878cb33192aafa5b8af044760668b48ce26745ee95346b6ce128770d580ce4530bb5436b81489db524661fecbd7d41f876daaf26f55b6584b40676f

  • C:\ProgramData\AMMYY\hr3

    Filesize

    75B

    MD5

    cd9ecb47170bd426f2e11493b0fd870f

    SHA1

    966d75638e3ec7d6342b5e80da410cd06f7e8a45

    SHA256

    9edf6e3690717e2dca9a52a4115ed6f992a29c9c404e6a351515a4dce22691f6

    SHA512

    70e2cb86c6458f6bb0ec4936b89f7715ba50ac4cb4b9807fd6e4604d044727e7374a1a82bcbd780d7f98af92c0bcd36c522c27305b35813f19903f62746adde7

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    271B

    MD5

    714f2508d4227f74b6adacfef73815d8

    SHA1

    a35c8a796e4453c0c09d011284b806d25bdad04c

    SHA256

    a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

    SHA512

    1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8