Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
31/10/2024, 15:59 UTC
General
-
Target
AA_v3.5.exe
-
Size
751KB
-
MD5
5686a7032e37087f0fd082a04f727aad
-
SHA1
341fee5256dcc259a3a566ca8f0260eb1e60d730
-
SHA256
43bba98a64dd96cf0571f3d6dceafdc549cc3767a1beab6fe4a6e1fd3ddd3153
-
SHA512
0ebd95b20ef54d047fdaec37cfb10e2c39ea9d63fa28d6a6848ec11b34a4c4ec5f7a8a430d81670461203b9e675ac4a32cac3da4a1c471f16e8d003c6dea3345
-
SSDEEP
12288:oPO1fNZApVuCN7e/yalnM4RtjLDXcbOAS3snvVgbgJ:om1fN6pkCNa/yaq4RtjXcu3sSEJ
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 8 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
Network
-
DNSrl.ammyy.comRemote address:8.8.8.8:53Requestrl.ammyy.comIN AResponserl.ammyy.comIN A188.42.129.148 -
DNSrl.ammyy.comRemote address:8.8.8.8:53Requestrl.ammyy.comIN A
-
DNSrl.ammyy.comRemote address:8.8.8.8:53Requestrl.ammyy.comIN A
-
POSThttp://rl.ammyy.com/Remote address:188.42.129.148:80RequestPOST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: rl.ammyy.com
Content-Length: 192
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Date: Thu, 31 Oct 2024 16:06:32 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Content-Length: 138
Content-Type: text/html
-
188.42.129.148:80rl.ammyy.com
-
188.42.129.148:80rl.ammyy.com
-
188.42.129.148:80http://rl.ammyy.com/http
HTTP Request
POST http://rl.ammyy.com/HTTP Response
200 -
136.243.104.235:443https
-
8.8.8.8:53rl.ammyy.comdns
DNS Request
rl.ammyy.com
DNS Request
rl.ammyy.com
DNS Request
rl.ammyy.com
DNS Response
188.42.129.148
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD52fbc910539bd0826b7a34c61da8eb964
SHA1f30499af573cf1a2537787abaaaa587e9e81d26f
SHA2564b2abdef01694d712a84673f440865c20865870da50c5943cfdfd8dc8b8b8ea5
SHA5124096da0c5c6b4f463667b4817c3776cf7f3aced7fa4455dd8e86ac8d81913aa1b8e316b0b6e47363b6a8647e3b197a84e867ed93cb2e02ae43b48ef8606a6088
-
Filesize
75B
MD5fb6b8a39e86ec29b9a148afce664a404
SHA1cbc5349eb8bb0bbe86be7d67d3818da8ae691616
SHA256c1e42756d9ac022673ead196adaaeb32da392b0659fe2937640274c0a3f9fcac
SHA512f9eeaf4c97881651a4d99fd7953d9704f6edfce0805360502e2a46f40ae07b783ceea7a64cb7f7c18747177fe73ddbbc0afc9798c79557df5f69ebd26216e970
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8