Analysis
-
max time kernel
120s -
max time network
113s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 16:21
Behavioral task
behavioral1
Sample
56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
Resource
win10v2004-20241007-en
General
-
Target
56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe
-
Size
755KB
-
MD5
206a9c8f94cc386e8828a667e1b57950
-
SHA1
3c9731cd31ec8b75962502aaa042bb1f8e51ed2e
-
SHA256
56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0
-
SHA512
5172219a65f6e8dbbadf9c833e3aebe498c6b2ed3b90f419b051f6ad47f0ab40a4b67681759caa531669cb774f34cfee993a660e65576233f1db01f3b11b4766
-
SSDEEP
12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z
Malware Config
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 5 IoCs
resource yara_rule behavioral1/memory/1744-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_ammyyadmin behavioral1/memory/2152-5-0x0000000000400000-0x00000000004D3000-memory.dmp family_ammyyadmin behavioral1/memory/1080-7-0x0000000000400000-0x00000000004D3000-memory.dmp family_ammyyadmin behavioral1/memory/1744-8-0x0000000000400000-0x00000000004D3000-memory.dmp family_ammyyadmin behavioral1/memory/2152-13-0x0000000000400000-0x00000000004D3000-memory.dmp family_ammyyadmin -
Ammyyadmin family
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe -
Modifies data under HKEY_USERS 7 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c6658524c175253b77202700b72b36b 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c60ac101f372f2142d875b9e0e51d85e50a5fcc63d64eb3091927e5273018fedf5382fb2ce57d1ed67aa0da12573964ee6cb83ec33940c7adca4a0b835708f42cb7f265d509a204f8265a7 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2152 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2152 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2152 1080 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe 30 PID 1080 wrote to memory of 2152 1080 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe 30 PID 1080 wrote to memory of 2152 1080 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe 30 PID 1080 wrote to memory of 2152 1080 56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1744
-
C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"C:\Users\Admin\AppData\Local\Temp\56a2607d9c2dbc6f1d0aa238a617fdb8b57e812c7591082d198e0da06af7d6a0N.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2152
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5d34addee709930558d2fe3e58df57469
SHA1b47d58ef9752d2a35c871f076f49dc5fe6851b22
SHA256ee6ecf37491e8219713ced02bc16f99491c509000a570c26cae66feed42561d7
SHA5123d253d31a959c54f33fb0fbdc091c2285a5398bf14e1347ff2270603d8880080dcde0d882cadb6ca7c5acced13d817d7eb8fbb22fadbefb8196ac9b231fd6df6
-
Filesize
75B
MD5f8aded0a64a25fc0204b48212a89861e
SHA13b3ef3b26afd73e8f1024237c6db552fd7b84682
SHA256b5bf3c1bac8ad27995474029437d5e7bb0b4f6d518f85c01bc4283900ff85ad2
SHA512f9ce2b93badc61f348e277e47b7234484d37eee571ed6c72e2b7877f90a8b3e95ee07494e2a674c59e331dd36e25317f362fc193e45cff70144a9b40d3bd6df5
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8