Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 09:24
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
AeroAdmin.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AeroAdmin.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
AnyDesk.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
AnyDesk.exe
Resource
win10v2004-20240419-en
General
-
Target
AA_v3.exe
-
Size
762KB
-
MD5
e9b569f7cbf23d91df065c18f4c43840
-
SHA1
5d7cb1a2ca7db04edf23dd3ed41125c8c867b0ad
-
SHA256
d67c7ef1c8e2cd56e266902bef814ac328d64bbe06086f4ee24fbadbebf39605
-
SHA512
a9f01663b0c0ce9d30bd6760847bf3c18318801634145ec75e047019a8e8a9b13ea8122449b8f45ad40b63d4551cb85230df1b41a41ddc33a39cfcf2ec237ccb
-
SSDEEP
12288:kX5PFc+E0SlpOvcC1KL/q/IZVURtCdshX5x8jR31QEY0VEoge:2P++ZSlpOUC1KT4+URtYshX5aRlQEYte
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\International\Geo\Nation AA_v3.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy AA_v3.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = cad178955ff5fb7214b8dc8ebf15eaac525c28e25345ce026d2aa07ef3fb9ac106d58549430887fcb74bab04f1253a7a1fbc601b756b55bbd5e8680eeb20224b2b522a55 AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1516 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1516 AA_v3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1256 wrote to memory of 1516 1256 AA_v3.exe 29 PID 1256 wrote to memory of 1516 1256 AA_v3.exe 29 PID 1256 wrote to memory of 1516 1256 AA_v3.exe 29 PID 1256 wrote to memory of 1516 1256 AA_v3.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"1⤵PID:2196
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1516
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274B
MD5bcc40b676c5b0f5a176be92cc8f4199f
SHA15415364e6ab90151eb1272268cb75ef6c4306a2f
SHA256d3df407118bd28d28e7d3c8afc497c5e478e5d078f7792501ddecb45f3b51826
SHA512467c473be5b9f6e0b8302620b6fbd9ad84f90da2bae3247d8326a22bfdd902fd79e55a2160493903eb747db6ef38fc9decb3db372afa26667f374ca2d0ceb36d