Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 09:24
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral3
Sample
AeroAdmin.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
AeroAdmin.exe
Resource
win10v2004-20240419-en
Behavioral task
behavioral5
Sample
AnyDesk.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
AnyDesk.exe
Resource
win10v2004-20240419-en
General
-
Target
AeroAdmin.exe
-
Size
2.2MB
-
MD5
c984faac414c41839adab61ec608a07e
-
SHA1
2694da22f94b83f7d3c7696ef040f7f0d1122ce6
-
SHA256
dddb977a26860390bd1dbeb4a00e5dab5eac9108190246ada8a76a8510c44dfe
-
SHA512
85314c219a3ae25c3854f67ac95f7cc280b2d140350e79849e152ee59e3c72ab12216173d1dae90b46bba077d254a616af8f323fa8d190661cd70109fe1711e4
-
SSDEEP
49152:D6Q2Kqr1aNUs1T8+IsWTdLraplDXVypwZpT8RlD2JEHQri/r4Ha1LgOoW9YjG2S4:2rQT8jg1lqlD2Jni/r461L1oDjD
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 1060 1720 WerFault.exe 28 -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\AeroAdmin AeroAdmin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1720 AeroAdmin.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1720 AeroAdmin.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1732 AeroAdmin.exe 1732 AeroAdmin.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1732 AeroAdmin.exe 1732 AeroAdmin.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1732 1720 AeroAdmin.exe 29 PID 1720 wrote to memory of 1732 1720 AeroAdmin.exe 29 PID 1720 wrote to memory of 1732 1720 AeroAdmin.exe 29 PID 1720 wrote to memory of 1732 1720 AeroAdmin.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AeroAdmin.exe"C:\Users\Admin\AppData\Local\Temp\AeroAdmin.exe"1⤵PID:1504
-
C:\Users\Admin\AppData\Local\Temp\AeroAdmin.exeC:\Users\Admin\AppData\Local\Temp\AeroAdmin.exe s1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\AeroAdmin.exeC:\Users\Admin\AppData\Local\Temp\AeroAdmin.exe a2⤵
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1732
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 4162⤵
- Program crash
PID:1060
-