Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 16:13 UTC

General

  • Target

    AA_v3.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Flawedammyy family
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:3540
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    88.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    88.210.23.2.in-addr.arpa
    IN PTR
    Response
    88.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-88deploystaticakamaitechnologiescom
  • flag-us
    DNS
    196.249.167.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    196.249.167.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    rl.ammyy.com
    AA_v3.exe
    Remote address:
    8.8.8.8:53
    Request
    rl.ammyy.com
    IN A
    Response
    rl.ammyy.com
    IN A
    188.42.129.148
  • flag-nl
    POST
    http://rl.ammyy.com/
    AA_v3.exe
    Remote address:
    188.42.129.148:80
    Request
    POST / HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: rl.ammyy.com
    Content-Length: 256
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 10 Nov 2024 16:13:47 GMT
    Server: Apache
    X-Powered-By: PHP/5.4.16
    Content-Length: 250
    Content-Type: text/html
  • flag-us
    DNS
    148.129.42.188.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    148.129.42.188.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    235.104.243.136.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    235.104.243.136.in-addr.arpa
    IN PTR
    Response
    235.104.243.136.in-addr.arpa
    IN PTR
    static235104243136clients your-serverde
  • flag-us
    DNS
    www.ammyy.com
    AA_v3.exe
    Remote address:
    8.8.8.8:53
    Request
    www.ammyy.com
    IN A
    Response
    www.ammyy.com
    IN A
    136.243.18.118
  • flag-de
    GET
    http://www.ammyy.com/files/v8/aans64y2.gz
    AA_v3.exe
    Remote address:
    136.243.18.118:80
    Request
    GET /files/v8/aans64y2.gz HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Host: www.ammyy.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 301 Moved Permanently
    Date: Sun, 10 Nov 2024 16:13:49 GMT
    Server: Apache/2.4.6 (CentOS)
    Location: https://www.ammyy.com/files/v8/aans64y2.gz
    Content-Length: 328
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
  • flag-de
    GET
    https://www.ammyy.com/files/v8/aans64y2.gz
    AA_v3.exe
    Remote address:
    136.243.18.118:443
    Request
    GET /files/v8/aans64y2.gz HTTP/1.1
    Range: bytes=0-
    Accept-Encoding: gzip, deflate
    Cache-Control: no-cache
    Host: www.ammyy.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 206 Partial Content
    Date: Sun, 10 Nov 2024 16:13:49 GMT
    Server: Apache/2.4.6 (CentOS)
    Last-Modified: Sun, 05 Dec 2021 20:54:18 GMT
    ETag: "509a4-5d26c580371d1"
    Accept-Ranges: bytes
    Content-Length: 330148
    Content-Range: bytes 0-330147/330148
    Connection: close
    Content-Type: application/x-gzip
  • flag-us
    DNS
    r11.o.lencr.org
    AA_v3.exe
    Remote address:
    8.8.8.8:53
    Request
    r11.o.lencr.org
    IN A
    Response
    r11.o.lencr.org
    IN CNAME
    o.lencr.edgesuite.net
    o.lencr.edgesuite.net
    IN CNAME
    a1887.dscq.akamai.net
    a1887.dscq.akamai.net
    IN A
    2.23.210.75
    a1887.dscq.akamai.net
    IN A
    2.23.210.82
  • flag-gb
    GET
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSfBEjCuhCXdl7Defz8ipA09g%3D%3D
    AA_v3.exe
    Remote address:
    2.23.210.75:80
    Request
    GET /MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSfBEjCuhCXdl7Defz8ipA09g%3D%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/10.0
    Host: r11.o.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/ocsp-response
    Content-Length: 504
    ETag: "197605521FE64F158988267C9984728A9F55A6433144192EB2735E47BAFB4E5F"
    Last-Modified: Sat, 09 Nov 2024 19:53:00 UTC
    Cache-Control: public, no-transform, must-revalidate, max-age=5535
    Expires: Sun, 10 Nov 2024 17:46:04 GMT
    Date: Sun, 10 Nov 2024 16:13:49 GMT
    Connection: keep-alive
  • flag-us
    DNS
    118.18.243.136.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    118.18.243.136.in-addr.arpa
    IN PTR
    Response
    118.18.243.136.in-addr.arpa
    IN PTR
    static11818243136clients your-serverde
  • flag-us
    DNS
    32.169.19.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    32.169.19.2.in-addr.arpa
    IN PTR
    Response
    32.169.19.2.in-addr.arpa
    IN PTR
    a2-19-169-32deploystaticakamaitechnologiescom
  • flag-us
    DNS
    232.168.11.51.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    232.168.11.51.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    75.210.23.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    75.210.23.2.in-addr.arpa
    IN PTR
    Response
    75.210.23.2.in-addr.arpa
    IN PTR
    a2-23-210-75deploystaticakamaitechnologiescom
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    241.42.69.40.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    241.42.69.40.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    220.193.10.85.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    220.193.10.85.in-addr.arpa
    IN PTR
    Response
    220.193.10.85.in-addr.arpa
    IN PTR
    static 85-10-193-220clients your-serverde
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.227.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.227.111.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    11.173.189.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.173.189.20.in-addr.arpa
    IN PTR
    Response
  • 188.42.129.148:80
    http://rl.ammyy.com/
    http
    AA_v3.exe
    942 B
    566 B
    12
    4

    HTTP Request

    POST http://rl.ammyy.com/

    HTTP Response

    200
  • 136.243.104.235:443
    https
    AA_v3.exe
    450 B
    216 B
    9
    5
  • 136.243.18.118:80
    http://www.ammyy.com/files/v8/aans64y2.gz
    http
    AA_v3.exe
    458 B
    781 B
    6
    5

    HTTP Request

    GET http://www.ammyy.com/files/v8/aans64y2.gz

    HTTP Response

    301
  • 136.243.18.118:443
    https://www.ammyy.com/files/v8/aans64y2.gz
    tls, http
    AA_v3.exe
    12.2kB
    344.4kB
    254
    251

    HTTP Request

    GET https://www.ammyy.com/files/v8/aans64y2.gz

    HTTP Response

    206
  • 2.23.210.75:80
    http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSfBEjCuhCXdl7Defz8ipA09g%3D%3D
    http
    AA_v3.exe
    516 B
    1.1kB
    6
    5

    HTTP Request

    GET http://r11.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBQaUrm0WeTDM5ghfoZtS72KO9ZnzgQUCLkRO6XQhRi06g%2BgrZ%2BGHo78OCcCEgSfBEjCuhCXdl7Defz8ipA09g%3D%3D

    HTTP Response

    200
  • 85.10.193.220:80
    http
    rundll32.exe
    753 B
    762 B
    12
    9
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
    90 B
    1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    88.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    88.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    196.249.167.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    196.249.167.52.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    rl.ammyy.com
    dns
    AA_v3.exe
    58 B
    74 B
    1
    1

    DNS Request

    rl.ammyy.com

    DNS Response

    188.42.129.148

  • 8.8.8.8:53
    148.129.42.188.in-addr.arpa
    dns
    73 B
    146 B
    1
    1

    DNS Request

    148.129.42.188.in-addr.arpa

  • 8.8.8.8:53
    235.104.243.136.in-addr.arpa
    dns
    74 B
    133 B
    1
    1

    DNS Request

    235.104.243.136.in-addr.arpa

  • 8.8.8.8:53
    www.ammyy.com
    dns
    AA_v3.exe
    59 B
    75 B
    1
    1

    DNS Request

    www.ammyy.com

    DNS Response

    136.243.18.118

  • 8.8.8.8:53
    r11.o.lencr.org
    dns
    AA_v3.exe
    61 B
    160 B
    1
    1

    DNS Request

    r11.o.lencr.org

    DNS Response

    2.23.210.75
    2.23.210.82

  • 8.8.8.8:53
    118.18.243.136.in-addr.arpa
    dns
    73 B
    131 B
    1
    1

    DNS Request

    118.18.243.136.in-addr.arpa

  • 8.8.8.8:53
    32.169.19.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    32.169.19.2.in-addr.arpa

  • 8.8.8.8:53
    232.168.11.51.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    232.168.11.51.in-addr.arpa

  • 8.8.8.8:53
    75.210.23.2.in-addr.arpa
    dns
    70 B
    133 B
    1
    1

    DNS Request

    75.210.23.2.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    241.42.69.40.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    241.42.69.40.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    220.193.10.85.in-addr.arpa
    dns
    72 B
    129 B
    1
    1

    DNS Request

    220.193.10.85.in-addr.arpa

  • 8.8.8.8:53
    11.227.111.52.in-addr.arpa
    dns
    144 B
    158 B
    2
    1

    DNS Request

    11.227.111.52.in-addr.arpa

    DNS Request

    11.227.111.52.in-addr.arpa

  • 8.8.8.8:53
    11.173.189.20.in-addr.arpa
    dns
    72 B
    158 B
    1
    1

    DNS Request

    11.173.189.20.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll

    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

  • C:\ProgramData\AMMYY\aa_nts.log

    Filesize

    4KB

    MD5

    343476ed9b4692a69f3704cfc42c48b2

    SHA1

    cb707bfda4016fa715a9797297ba60ed5f9a5fd4

    SHA256

    5bb27666072cf5f60e474d2ae67be04a17b2b71ea78627fbea72fdfe31747057

    SHA512

    7e61cc987cab3860f10571c22f082372a71a7345ffb3504b3437e7fa895bafe65818228601598835635556d76ede2435e471b177e6d224db7ea0b04f593cef57

  • C:\ProgramData\AMMYY\aa_nts.msg

    Filesize

    46B

    MD5

    76038623e270f399769df67a3ed15c16

    SHA1

    ebf7d7537f45738be48e6f64d59c846b13fb4334

    SHA256

    4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

    SHA512

    a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    334B

    MD5

    138cf34c9aadb5c899fab396f04c933d

    SHA1

    303740048b0f85278d05981ebd103f9dc68e02ac

    SHA256

    baa30bc225d8369c3db974901f05ac0b2e44ed71fa66247a63a10939c06147ff

    SHA512

    ecb93b6872d812d47e20bc397aa99f55cc649a62be2c76d93e018c761b1a9b1badeaed4eeac9d154a700cf70e3c8acaa54ab05404e20b80c6920065883213bb7

  • memory/4088-17-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-31-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-39-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-47-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-60-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-80-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-97-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-114-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.