Overview

overview

10

Static

static

10

AA_v3.5.exe

windows7-x64

10

AA_v3.5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2025 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AA_v3.5.exe

  • Size

    746KB

  • MD5

    f8cd52b70a11a1fb3f29c6f89ff971ec

  • SHA1

    6a0c46818a6a10c2c5a98a0cce65fbaf95caa344

  • SHA256

    6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

  • SHA512

    987b6b288a454b6198d4e7f94b7bba67cafe37f9654cd3cd72134a85958efd2125596ae48e66a8ee49ee3f4199dac7f136e1831f2bf4015f25d2980f0b866abe

  • SSDEEP

    12288:PUYpJqMH2OwlaUPcWWw5XZV8f64RteVpN5ETMasTjcP6gX:zpJJWOwlaUPcWWwRZb4Rt+N5WMasHoX

Score
10/10
flawedammyydiscoverytrojan

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Flawedammyy family
    flawedammyy
  • Drops file in System32 directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4320
  • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AMMYY\hr
    Filesize

    22B

    MD5

    9ecdb1b2da808d2bc3cf9b0dc25c7975

    SHA1

    a99d296474f559a11067a9df3c583669c8169d28

    SHA256

    82a724b72b4759cb42b7b194d4ff1bb3f11381e48277fb98f02834764596a317

    SHA512

    bca2e0a63967dde3336e7e3c491a46e78700996ddb270a9d317b1bac8f4c226b11501a84ec99ff52f91e99245f19fadae0b5aef0b16790b57e8b04622cbc77f9

    Download Submit

  • C:\ProgramData\AMMYY\hr3
    Filesize

    75B

    MD5

    5a39ce0566a1ab39722860f733d0186a

    SHA1

    e1485db5a9fbab8250c368325099beb7d9a34019

    SHA256

    1addfc41490c5810c7fcaefc8d28ef01cbb1c39f1d0d398fe0df58892d4df270

    SHA512

    b22c20f9ba1f81b856bef1927a67cddbe5d97f5d44531240b5d1174892db2d9aa42ade49a862536b9447f1e6d0cd46182b49a16fa5069f0aa379cb1f85b881b5

    Download Submit

  • C:\ProgramData\AMMYY\settings3.bin
    Filesize

    271B

    MD5

    714f2508d4227f74b6adacfef73815d8

    SHA1

    a35c8a796e4453c0c09d011284b806d25bdad04c

    SHA256

    a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

    SHA512

    1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

    Download Submit