Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-05-2024 11:11

General

  • Target

    AA_v3.exe

  • Size

    755KB

  • MD5

    11bc606269a161555431bacf37f7c1e4

  • SHA1

    63c52b0ac68ab7464e2cd777442a5807db9b5383

  • SHA256

    1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed

  • SHA512

    0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f

  • SSDEEP

    12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z

Score
10/10

Malware Config

Signatures

  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

  • Drops file in System32 directory 4 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
    "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
    1⤵
      PID:1384
    • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
      "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
        "C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
        2⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:3508
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4232,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4316 /prefetch:8
      1⤵
        PID:2224

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\AMMYY\hr

        Filesize

        22B

        MD5

        d86fd7fd528d320780225845f7540c74

        SHA1

        62b36bfda457eba22f09bee7dec56fcf597a99e5

        SHA256

        96237a11a7667e203882c63980be023cd46ab3610a65874f10831c715b514ff0

        SHA512

        2fe022e5fd11d0cdee27a2983b803b3721a4989306dc5ef8a7d0778d80880fbcb46378b71fdf3c6e2cd5cb9b4ba4573084c7eba37d9cbb95979f2cf9503ba208

      • C:\ProgramData\AMMYY\hr3

        Filesize

        68B

        MD5

        5ccbdd92f7287b32d3baea9035b40eb5

        SHA1

        7f19d6989f4177df105a5f6ce0928047458745af

        SHA256

        9678d81f55b94e36c5d7b14102ba7f078390a282cf2b9a4fb94f0496dc0f95ea

        SHA512

        c0db44bc27c239a4d4850c90ff03a1617d7bc859bba54f777e02a66ab3393ae3be90f3296c579010a468bf5c275cd291c65a9c46f8cd6d55c4606630d026ea8d

      • C:\ProgramData\AMMYY\settings3.bin

        Filesize

        271B

        MD5

        714f2508d4227f74b6adacfef73815d8

        SHA1

        a35c8a796e4453c0c09d011284b806d25bdad04c

        SHA256

        a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480

        SHA512

        1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8