Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:13
Behavioral task
behavioral1
Sample
AA_v3.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
AA_v3.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AA_v3.exe
Resource
win11-20241007-en
General
-
Target
AA_v3.exe
-
Size
798KB
-
MD5
90aadf2247149996ae443e2c82af3730
-
SHA1
050b7eba825412b24e3f02d76d7da5ae97e10502
-
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
-
SHA512
eec32bb82b230dd309c29712e72d4469250e651449e127479d178eddbafd5a46ec8048a753bc2c1a0fdf1dc3ed72a9453ca66fb49cbf0f95a12704e5427182be
-
SSDEEP
24576:Uj0JJ4p/A4npt3XojeQG5EtzRtO7GvmDguXd:UjoJ4u4zojegylDN
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Flawedammyy family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 56 4088 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation AA_v3.exe -
Loads dropped DLL 1 IoCs
pid Process 4088 rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AA_v3.exe File opened for modification \??\PhysicalDrive0 AA_v3.exe -
Drops file in System32 directory 11 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\34B6AF881B9D738561FC099B83DF3A01 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\34B6AF881B9D738561FC099B83DF3A01 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AA_v3.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData AA_v3.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AA_v3.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 42a6106b4277f486e110a4d515399cc6a0039b679889308d4c701c55a962fe830efe878a75482ecba565b8f8fbd447d95497b17be428ef278df841c8e89236453a02df47d05cd443cd2540 AA_v3.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AA_v3.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AA_v3.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AA_v3.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AA_v3.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AA_v3.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe 4088 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeLockMemoryPrivilege 4088 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3096 AA_v3.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3096 AA_v3.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 3900 wrote to memory of 3096 3900 AA_v3.exe 84 PID 3900 wrote to memory of 3096 3900 AA_v3.exe 84 PID 3900 wrote to memory of 3096 3900 AA_v3.exe 84 PID 3096 wrote to memory of 4088 3096 AA_v3.exe 105 PID 3096 wrote to memory of 4088 3096 AA_v3.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:3540
-
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"2⤵
- Checks computer location settings
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SYSTEM32\rundll32.exerundll32.exe "C:\ProgramData\AMMYY\aa_nts.dll",run3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
902KB
MD5480a66902e6e7cdafaa6711e8697ff8c
SHA16ac730962e7c1dba9e2ecc5733a506544f3c8d11
SHA2567eaaaa6010bbcd6bb8c9ad08d4b0966c7aedc9b2ac24758f170012ac36e508b5
SHA5127d010cd47b7d1adf66f9c97afc6c3805997aa5c7cc6ff13eddee81f24cf2b95a3fe375ec5b3d6185c0bc8840b4ad91ae143c73a39af26391cc182ab6a1793ba5
-
Filesize
4KB
MD5343476ed9b4692a69f3704cfc42c48b2
SHA1cb707bfda4016fa715a9797297ba60ed5f9a5fd4
SHA2565bb27666072cf5f60e474d2ae67be04a17b2b71ea78627fbea72fdfe31747057
SHA5127e61cc987cab3860f10571c22f082372a71a7345ffb3504b3437e7fa895bafe65818228601598835635556d76ede2435e471b177e6d224db7ea0b04f593cef57
-
Filesize
46B
MD576038623e270f399769df67a3ed15c16
SHA1ebf7d7537f45738be48e6f64d59c846b13fb4334
SHA2564dbdf4f709d50f9521e92ce5f7d4f305e2384bcda387fb2b325ff17d205bb687
SHA512a5316694d844e5b10c589f58fdf65645568b3909b2914f85c99195f9625e4124f787bc0980cff98f1e8289ff84824620a03f32cdab18e5bbcb2e59b33f397aec
-
Filesize
334B
MD5138cf34c9aadb5c899fab396f04c933d
SHA1303740048b0f85278d05981ebd103f9dc68e02ac
SHA256baa30bc225d8369c3db974901f05ac0b2e44ed71fa66247a63a10939c06147ff
SHA512ecb93b6872d812d47e20bc397aa99f55cc649a62be2c76d93e018c761b1a9b1badeaed4eeac9d154a700cf70e3c8acaa54ab05404e20b80c6920065883213bb7