Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 15:39
Behavioral task
behavioral1
Sample
AA_v3.2.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
AA_v3.2.exe
Resource
win10v2004-20240508-en
General
-
Target
AA_v3.2.exe
-
Size
722KB
-
MD5
45c9b54d66cbcc2de89f93e25f368a45
-
SHA1
2e5265f35f75a50c89e592e127bc80e1e45aa840
-
SHA256
349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a
-
SHA512
25c3f1ec6d2e233464090f584777b15f18acfd1cb12124c236680689545ec8208bc364d26d7202e38368dbec34cd824600afb51845df8c9de8c8e83fba8d8b1f
-
SSDEEP
12288:x2QKNGp2YPjE0d63iVg5Bfi781Rt1hpGqzdpW9eKVQvTPRpsbS5hEgK:xSIp2Ydd6SVcpz1RtXpGadsbShK
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation AA_v3.2.exe -
Modifies data under HKEY_USERS 1 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.2.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe Token: SeBackupPrivilege 2164 AA_v3.2.exe Token: SeRestorePrivilege 2164 AA_v3.2.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2164 AA_v3.2.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2164 AA_v3.2.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1948 wrote to memory of 2164 1948 AA_v3.2.exe 29 PID 1948 wrote to memory of 2164 1948 AA_v3.2.exe 29 PID 1948 wrote to memory of 2164 1948 AA_v3.2.exe 29 PID 1948 wrote to memory of 2164 1948 AA_v3.2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"1⤵PID:2320
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.2.exe"2⤵
- Checks computer location settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2164
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
270B
MD56910d9160b66c4395f587a279e80f132
SHA154949c04c8c0970aa5e2d3fb2912318daab97b98
SHA25672d44ac6019d486fc1a58334ff8ed692de0a9ed96de3142638c71376ceade87c
SHA51282967a8bdbad58f2a81d063c84294153dbdd86322d4b6e3631122530dc7f00fd209ed1d2b0683eb60f726fd3d6f93c7615bd1d0d1fa1f5441119d0e5007582b9