Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/11/2024, 16:13

General

  • Target

    AA_v3.exe

  • Size

    798KB

  • MD5

    90aadf2247149996ae443e2c82af3730

  • SHA1

    050b7eba825412b24e3f02d76d7da5ae97e10502

  • SHA256

    ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

  • SHA512

    eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be

  • SSDEEP

    24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Flawedammyy family
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 11 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    PID:3540
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
      2⤵
      • Checks computer location settings
      • Writes to the Master Boot Record (MBR)
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SYSTEM32\rundll32.exe
        rundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\aa_nts.dll

    Filesize

    902KB

    MD5

    480a66902e6e7cdafaa6711e8697ff8c

    SHA1

    6ac730962e7c1dba9e2ecc5733a506544f3c8d11

    SHA256

    7eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5

    SHA512

    7d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5

  • C:\ProgramData\AMMYY\aa_nts.log

    Filesize

    4KB

    MD5

    343476ed9b4692a69f3704cfc42c48b2

    SHA1

    cb707bfda4016fa715a9797297ba60ed5f9a5fd4

    SHA256

    5bb27666072cf5f60e474d2ae67be04a17b2b71ea78627fbea72fdfe31747057

    SHA512

    7e61cc987cab3860f10571c22f082372a71a7345ffb3504b3437e7fa895bafe65818228601598835635556d76ede2435e471b177e6d224db7ea0b04f593cef57

  • C:\ProgramData\AMMYY\aa_nts.msg

    Filesize

    46B

    MD5

    76038623e270f399769df67a3ed15c16

    SHA1

    ebf7d7537f45738be48e6f64d59c846b13fb4334

    SHA256

    4dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687

    SHA512

    a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec

  • C:\ProgramData\AMMYY\settings3.bin

    Filesize

    334B

    MD5

    138cf34c9aadb5c899fab396f04c933d

    SHA1

    303740048b0f85278d05981ebd103f9dc68e02ac

    SHA256

    baa30bc225d8369c3db974901f05ac0b2e44ed71fa66247a63a10939c06147ff

    SHA512

    ecb93b6872d812d47e20bc397aa99f55cc649a62be2c76d93e018c761b1a9b1badeaed4eeac9d154a700cf70e3c8acaa54ab05404e20b80c6920065883213bb7

  • memory/4088-17-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-31-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-39-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-47-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-60-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-80-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-97-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB

  • memory/4088-114-0x0000000064200000-0x00000000642EE000-memory.dmp

    Filesize

    952KB