Overview

overview

10

Static

static

10

AA_v3.5.exe

windows7-x64

10

AA_v3.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    32s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16-10-2024 16:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.5.exe

  • Size

    746KB

  • MD5

    f8cd52b70a11a1fb3f29c6f89ff971ec

  • SHA1

    6a0c46818a6a10c2c5a98a0cce65fbaf95caa344

  • SHA256

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

  • SHA512

    987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe

  • SSDEEP

    12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2260
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2408
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr
    Filesize

    22B

    MD5

    1bf6ea4f1d3e0eaa48c42ffb6be361f9

    SHA1

    ed23a4a101d0381c037c2b38173d8f0d5dd90f8c

    SHA256

    c4393722d7ea2fd0829f221d3f3f83a911bef9145bf687c2beb66fdb7c4b1e67

    SHA512

    e94793ee960a46ed5f0e3b1d27d2e82c768503c1a8bb0632418501ce728fb186effa0dc34bc747e02f0be0abf3d710ed9cc689b0d98ca39bab5e9a2ef5a91cc5

    Download Submit

  • C:\ProgramData\AMMYY\hr3
    Filesize

    75B

    MD5

    5694c7f4d3fcac1fc3b36c287325b963

    SHA1

    25eda616bd3906d6caf69c3195eb1f4b8de67fd1

    SHA256

    152d7e8584fbca0e8ee210f754e1c6ac5426b39ebd1354bab779634ad08ce1a4

    SHA512

    f2a9de9cfe38480baafe6c2f92972a96ba5b00791c10cb54b48e3d570858b1e1796cca8645003e04c84b67e51f98f48824ef24bb691db6bf22581961e0dcc907

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    271B

    MD5

    714f2508d4227f74b6adacfef73815d8

    SHA1

    a35c8a796e4453c0c09d011284b806d25bdad04c

    SHA256

    a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

    SHA512

    1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

    Download Submit