Analysis
-
max time kernel
150s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-03-2024 12:12
Behavioral task
behavioral1
Sample
AA_v3.1.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AA_v3.1.exe
Resource
win10v2004-20240226-en
General
-
Target
AA_v3.1.exe
-
Size
717KB
-
MD5
9561c8f7bd981a9eaac23ec6fa9a65e5
-
SHA1
519d06745dad2be35d2de25f9739b80ea64e1fdd
-
SHA256
0fd5789a6ff2a978eddc093ac89df7192d17fd73825042c44acc844d7aa6517e
-
SHA512
6f263987d0d432d7b8d6080be1a5bd69d35f458ada851c301ec4162d91e14e9a6fcd20115920943ebf86ea4a64fd4c6e781ab430cc0c8eed97a5ed834686ae5b
-
SSDEEP
12288:UKHp9fDIItMm2o44sGTdBqWvwD+8ChCbW3XTjY1r1RtH8ePhAU5u0AhpZxAh9gJ:UorLkbDEhyW3XS1RtcePKUBATZxXJ
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AA_v3.1.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation AA_v3.1.exe -
Modifies data under HKEY_USERS 6 IoCs
Processes:
AA_v3.1.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy AA_v3.1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953877c078f772ab26b AA_v3.1.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 613f35c09515bf60f566eec24f9a469495f11f492c8f086f3f4ec7c84a43fa8e4cc254cf8c7bb210bc2ece3cde278282361bec1e1c4c5f799320c04e5ae379198195634b AA_v3.1.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AA_v3.1.exepid Process 2172 AA_v3.1.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AA_v3.1.exepid Process 2172 AA_v3.1.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
AA_v3.1.exedescription pid Process procid_target PID 2944 wrote to memory of 2172 2944 AA_v3.1.exe 29 PID 2944 wrote to memory of 2172 2944 AA_v3.1.exe 29 PID 2944 wrote to memory of 2172 2944 AA_v3.1.exe 29 PID 2944 wrote to memory of 2172 2944 AA_v3.1.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"1⤵PID:1196
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.1.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2172
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5279e8ec1049ce24a21d90b48cafcba1b
SHA1061f84b03c0082308c8110d34a10c4701ea40034
SHA2566c3c94876ff325c8c109398bd844bba3e98bfdc97c2631bd84245b8f8980b0ab
SHA512b85e2cc3a7d66a5027fb1b829a14da7c25e396b35be1eb0490e932998be559fa29e836b4f2c4c64f639d92748511b525a5cf6860ecfd8b7ef9742f72de428864
-
Filesize
68B
MD574fcda22f300a5a20ed611c8c7b5dcf8
SHA180ca3ee39917585318f289a095f76d7953f90355
SHA256ec78bdb63d6cd6961b360c75a19fe538a05b04b43916456daa49c89b8248c7fa
SHA5125f17d51a5e52d2824bf807042be06256eafd05710734524dac049f04ef200094648e1e36477328f05522bae6631a97a26e5346b376703f52c0b84984949815ac
-
Filesize
269B
MD5a55567fceb74f9ca4f151f4ab84b68c7
SHA163b4a57b258e640b165732dbcd0ca00fc69b4c8b
SHA256f649823939d0bf2b01f5c785e55d3e278c1ee7cc11b547c6644ac9f90996e9d7
SHA5123cbeb788c068008bdf2c7c19b696d464e66f66a969164cf98793e3150cf5ff82822de41deabb79921cbfcc93897ee824872c64a7bd9e131b1304105cad0f010f