Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

AA_v3.2.exe

windows7-x64

10

AA_v3.2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    26/10/2024, 18:12 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.2.exe

  • Size

    722KB

  • MD5

    45c9b54d66cbcc2de89f93e25f368a45

  • SHA1

    2e5265f35f75a50c89e592e127bc80e1e45aa840

  • SHA256

    349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a

  • SHA512

    25c3f1ec6d2e233464090f584777b15f18acfd1cb12124c236680689545ec8208bc364d26d7202e38368dbec34cd824600afb51845df8c9de8c8e83fba8d8b1f

  • SSDEEP

    12288:x2QKNGp2YPjE0d63iVg5Bfi781Rt1hpGqzdpW9eKVQvTPRpsbS5hEgK:xSIp2Ydd6SVcpz1RtXpGadsbShK

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Flawedammyy family
    flawedammyy
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2552
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2396
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1544

Network

  • flag-us
    DNS
    rl.ammyy.com
    AA_v3.2.exe
    Remote address:
    8.8.8.8:53
    Request
    rl.ammyy.com
    IN A
    Response
    rl.ammyy.com
    IN A
    188.42.129.148
  • flag-nl
    POST
    http://rl.ammyy.com/
    AA_v3.2.exe
    Remote address:
    188.42.129.148:80
    Request
    POST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: rl.ammyy.com
    Content-Length: 183
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 26 Oct 2024 18:12:42 GMT
    Server: Apache
    X-Powered-By: PHP/5.4.16
    Content-Length: 138
    Content-Type: text/html
  • 188.42.129.148:80
    http://rl.ammyy.com/
    http
    AA_v3.2.exe
    869 B
     446 B
     12
    4

    HTTP Request

    POST http://rl.ammyy.com/

    HTTP Response

    200
  • 136.243.104.235:443
    https
    AA_v3.2.exe
    462 B
     299 B
     9
    7
  • 8.8.8.8:53
    rl.ammyy.com
    dns
    AA_v3.2.exe
    58 B
     74 B
     1
    1

    DNS Request

    rl.ammyy.com

    DNS Response

    188.42.129.148

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr
    Filesize

    22B

    MD5

    3b0cc7752410d275357315c8b1976c21

    SHA1

    f94362169acc2ff2c5021fa86efc973452a12006

    SHA256

    d1a224f8335e50def11d28e8d2300a7294307b4047433a6b7c5cb4750ac6f718

    SHA512

    269b6315a3500b67ed8ea117cbd4350e91353db715853f11f26bf8050dd6482fa314f76fe4265996b6bde1466575f875e3a667c560ced657142ae67ce4dd38c9

    Download Submit

  • C:\ProgramData\AMMYY\hr3
    Filesize

    68B

    MD5

    b07a2e2b969c2598f4602d5d3e5ac444

    SHA1

    a669877546d7d2dbdf5fdb82b1645d4e3c21f8e1

    SHA256

    d271f1b2d6f4bef0d134edfeebb1a2ff1a701c323df7c66023531ccd3fc99df7

    SHA512

    e14a0b30056a499e6b289481b7f9dba620ad4d89375e9ab26213293a1758d1493f63529692223420586378007755be742315f8dc83313f6064d3883e64d6896a

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    270B

    MD5

    6910d9160b66c4395f587a279e80f132

    SHA1

    54949c04c8c0970aa5e2d3fb2912318daab97b98

    SHA256

    72d44ac6019d486fc1a58334ff8ed692de0a9ed96de3142638c71376ceade87c

    SHA512

    82967a8bdbad58f2a81d063c84294153dbdd86322d4b6e3631122530dc7f00fd209ed1d2b0683eb60f726fd3d6f93c7615bd1d0d1fa1f5441119d0e5007582b9

    Download Submit

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.