Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 15:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    762KB

  • MD5

    e9b569f7cbf23d91df065c18f4c43840

  • SHA1

    5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad

  • SHA256

    d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605

  • SHA512

    a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb

  • SSDEEP

    12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2480
  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1684
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    274B

    MD5

    bcc40b676c5b0f5a176be92cc8f4199f

    SHA1

    5415364e6ab90151eb1272268cb75ef6c4306a2f

    SHA256

    d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826

    SHA512

    467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d

    Download Submit