Overview

overview

10

Static

static

10

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-12-2024 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    755KB

  • MD5

    11bc606269a161555431bacf37f7c1e4

  • SHA1

    63c52b0ac68ab7464e2cd777442a5807db9b5383

  • SHA256

    1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

  • SHA512

    0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

  • SSDEEP

    12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Flawedammyy family
    flawedammyy
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1040
  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:3976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr
    Filesize

    22B

    MD5

    6e91f8e00d2450332b7c094c2445706a

    SHA1

    429cf8372434b3a4c1a09b58a6b9597a3f60a74c

    SHA256

    74ee99bd914cc0f998cac9c2c712503db17f030e7cd54619fff4d92f6a860898

    SHA512

    b3aa39a8e8f9fcc33ec28dca612dcb11afd6361143a0103d3f557b0c43524ce89ed3fbd4123765ab5a1ef3e89eaf1cfc7cb6e518af99311d76ee61181a1a94ab

    Download Submit

  • C:\ProgramData\AMMYY\hr3
    Filesize

    75B

    MD5

    fc9a0e9a6bd1fa10ecf97c77d6fb58ce

    SHA1

    f3f2e4f2105239262c96e59519ce38ff3c370353

    SHA256

    21bf400a325c8a2f963a77e1764123675ee58e7055cfbcb4411105b0fa9eac96

    SHA512

    74e7de17cbf2a3da55690272572b760c963010a589e9b80f66176c36a6ab2253208d2419938a98ec0acaedfe8fd29f22dbeb0a5b44e23c4d2723604036033690

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    271B

    MD5

    714f2508d4227f74b6adacfef73815d8

    SHA1

    a35c8a796e4453c0c09d011284b806d25bdad04c

    SHA256

    a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

    SHA512

    1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

    Download Submit