Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-10-2024 10:35

General

  • Target

    304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

  • Size

    766KB

  • MD5

    fb975974833411caa02f60e99801aeb0

  • SHA1

    cabaee807c9cada7188323e9c780131481c076da

  • SHA256

    304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2

  • SHA512

    7090df5b5ea5e39e8a4c5ff282c46ddcd6199d4d576639395121c78af653c7997a9f839d96e96d934b4f26c42c139d707fad2292da8563af1156b4aa6f694aea

  • SSDEEP

    12288:gpDNc/Xsfu2LVBRKf057C9lRt3i5olGJsxhzagJYa:g5N48fu2hBRK8ilRty5olGJsxNSa

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

  • AmmyyAdmin payload 1 IoCs
  • Ammyyadmin family
  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Flawedammyy family
  • Executes dropped EXE 3 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 9 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe"
    1⤵
    • Modifies system executable filetype association
    • Drops file in System32 directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4832
    • C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
      C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4704
  • C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe" -service -lunch
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3416
    • C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr

    Filesize

    22B

    MD5

    25e1390a66f7170a20124699caec1b24

    SHA1

    25ae756675a9e8617862295d1e815aa0a2522367

    SHA256

    c7de5d66d2f375cdeb2b62b3fd149c5ebf498395beb31592f4f2d1fcac9e5861

    SHA512

    9c0c27764031ff8c2259ae86dc9e515bff8b1fc4f9f70cda404e000af5352db683e3410615d3ceb435fc973081e808f271c63fb442601ecc1a125458b85e3930

  • C:\ProgramData\AMMYY\hr3

    Filesize

    75B

    MD5

    9a807340b85888f264fd4beaef73f4b2

    SHA1

    86332dede9a9b382e363d3add3fa2d07159e8610

    SHA256

    40ad84357a0cbcf5c2e536e361e4d9ba36c6c976a276bcd98cfd1c71c71977bc

    SHA512

    f5cad47dadf2877807174e3d9200addc84e5c39e9b7115e6c07411713ecded6e654125a8ee856bb3adfc94c22881f18a36b02b3967aa0668362fe6c7bd54562a

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    271B

    MD5

    4cb889e527b0d0781a17f6c2dd968129

    SHA1

    6a6a55cd5604370660f1c1ad1025195169be8978

    SHA256

    2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

    SHA512

    297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

    Filesize

    674KB

    MD5

    0e52a8215012052d9c633778de5fdf27

    SHA1

    0abb5785385c3d584faf56c2e099d5d77fd5bb27

    SHA256

    b49e53cb15c09a2e2eab42f830e62e7314a06138222c441c7d0a3e1dec577b89

    SHA512

    e1c3f9153adb6d8d80fa9bbe88cb6d0b3acb76a648831ec12d5bda8b4dd99082bb0b10a02428548358850755d74d476b77cebe3657023f785bd1705d42eaaa2a

  • C:\Users\Admin\AppData\Local\Temp\tmp8432\304767a5d161c49053fcb983a007c4ec90290a8bc7f61eb7539bbb7b9a5558c2N.exe

    Filesize

    726KB

    MD5

    3178f23055b264687995248286a1203b

    SHA1

    cf90f321c3cccb006698c4665ec65172c221d979

    SHA256

    7895cba4fd1a4f2b5679e8fea1c5b5cbff35ece25dc7e64d49e9de98e52193c8

    SHA512

    94ca4626f83260edafc2c36346c33be0f12bd46d93b18b4ea336e82e5db1be857f41d475a40913343ad6dfe61bfcaa13fbc75a6853b3f7e071b2580f9aa065ef

  • memory/4832-74-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4832-76-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB

  • memory/4832-78-0x0000000000400000-0x000000000041A000-memory.dmp

    Filesize

    104KB