Analysis
-
max time kernel
150s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 11:11
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240508-en
General
-
Target
AA_v3.exe
-
Size
755KB
-
MD5
11bc606269a161555431bacf37f7c1e4
-
SHA1
63c52b0ac68ab7464e2cd777442a5807db9b5383
-
SHA256
1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
-
SHA512
0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f
-
SSDEEP
12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 AA_v3.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy AA_v3.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c401452531033d6c9dbfcb26b AA_v3.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 1fb04f160bfa513a205a73b70fff1e7e0176cb32dae94c5d82d820ff7bf1a2b1c1b5278dacb4adfe5178a858fd8baddfff5461597058fb4a7d77344fdbc44ce901f449e6 AA_v3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix AA_v3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AA_v3.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin AA_v3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3508 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3508 AA_v3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1044 wrote to memory of 3508 1044 AA_v3.exe 90 PID 1044 wrote to memory of 3508 1044 AA_v3.exe 90 PID 1044 wrote to memory of 3508 1044 AA_v3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"1⤵PID:1384
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:81⤵PID:2224
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5d86fd7fd528d320780225845f7540c74
SHA162b36bfda457eba22f09bee7dec56fcf597a99e5
SHA25696237a11a7667e203882c63980be023cd46ab3610a65874f10831c715b514ff0
SHA5122fe022e5fd11d0cdee27a2983b803b3721a4989306dc5ef8a7d0778d80880fbcb46378b71fdf3c6e2cd5cb9b4ba4573084c7eba37d9cbb95979f2cf9503ba208
-
Filesize
68B
MD55ccbdd92f7287b32d3baea9035b40eb5
SHA17f19d6989f4177df105a5f6ce0928047458745af
SHA2569678d81f55b94e36c5d7b14102ba7f078390a282cf2b9a4fb94f0496dc0f95ea
SHA512c0db44bc27c239a4d4850c90ff03a1617d7bc859bba54f777e02a66ab3393ae3be90f3296c579010a468bf5c275cd291c65a9c46f8cd6d55c4606630d026ea8d
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8