Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29-09-2024 02:13
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20240802-en
General
-
Target
AA_v3.exe
-
Size
755KB
-
MD5
11bc606269a161555431bacf37f7c1e4
-
SHA1
63c52b0ac68ab7464e2cd777442a5807db9b5383
-
SHA256
1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed
-
SHA512
0be867fce920d493d2a37f996627bceea87621ba4071ae4383dd4a24748eedf7dc5ca6db089217b82ec38870248c6840f785683bf359d1014c7109e7d46dd90f
-
SSDEEP
12288:XVFUEuNmwvGrw9i0aTGRGicBckyyFRtWY1i3FTsvOVV0gz:3UEUUw9RaTNicBrPFRtJ1iVTsC5z
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Control Panel\International\Geo\Nation AA_v3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe -
Modifies data under HKEY_USERS 6 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy AA_v3.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d567366087c6658524c175253b71463715d4db36b AA_v3.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c6ba57b6abf8c602055f052bf63cf1d7d453ff512ea4de487df76c564cd22cb40d94a1591a0d8c86fbdb0a521110a8ecabd1c346a056b7b0942f031f8b7a153da1245be9f7aea3ff80fe33 AA_v3.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2716 AA_v3.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2716 2812 AA_v3.exe 31 PID 2812 wrote to memory of 2716 2812 AA_v3.exe 31 PID 2812 wrote to memory of 2716 2812 AA_v3.exe 31 PID 2812 wrote to memory of 2716 2812 AA_v3.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2708
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2716
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD5f87a823e0b89ee47ba7c55311181c528
SHA1f41e8fd1ae3c7aa693d65682993617d91662d664
SHA2561c19ef43a0f60d50c4ee5d7feeb1e81a58e55a5a9575c566c33886e648e74967
SHA512f974851206adb40ffe13710c6c4ac4360dad21f97a7ad0f17fbfab683ddb3779cbb17b288ff460e567510cfb3ff47e6463bbefa99e7995e7f08ba7143165f116
-
Filesize
75B
MD55f5e6f655d164781a48714c117244c26
SHA1690f07212bafb7ed11b3c65a61014094014b1b29
SHA256b397503d4df31f3f6392213f84b54a2c0eaf5d9b1fcc471e4e6539636c3fba3d
SHA512fda21c391bfd5351bc7f3ec66b6811c19fe2709b6c6f6cecfe32c2c73f978a205651f1f15a6f87f2505d122a0df5f2d64da482b267467bf68f46eefd8386be39
-
Filesize
271B
MD5714f2508d4227f74b6adacfef73815d8
SHA1a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA5121171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8