| File name: | AimmyV2.1.5.zip |
| Full analysis: | https://app.any.run/tasks/114f5996-89db-41c3-92f8-d4072286adc5 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | August 17, 2024, 22:44:53 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 5F253F81377176B9091AE669ACD1451C |
| SHA1: | AC69F0836B4F07292F026ABD64097C48BEE33139 |
| SHA256: | 12C8A9AB93649F8C75399B6B96F4C54E7454CD0EAA25090DC53C223788C85222 |
| SSDEEP: | 786432:HgKfa50IVnfdK9FkqPqqS/+zCfGsP+zLTd/Xb:HgKQfdK/LPqqSGuusWnTd/Xb |
MALICIOUS
No malicious indicators.SUSPICIOUS
Process drops legitimate windows executable
- WinRAR.exe (PID: 6808)
- WinRAR.exe (PID: 6284)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 6808)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 6808)
- TotallyNotAimmyV2.exe (PID: 6360)
INFO
Checks supported languages
- AimmyLauncher.exe (PID: 7080)
- AimmyLauncher.exe (PID: 6316)
- TotallyNotAimmyV2.exe (PID: 6360)
- identity_helper.exe (PID: 6948)
Reads the computer name
- AimmyLauncher.exe (PID: 7080)
- AimmyLauncher.exe (PID: 6316)
- TotallyNotAimmyV2.exe (PID: 6360)
- identity_helper.exe (PID: 6948)
Manual execution by a user
- WinRAR.exe (PID: 6284)
- AimmyLauncher.exe (PID: 6316)
- TotallyNotAimmyV2.exe (PID: 6360)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 6808)
- WinRAR.exe (PID: 6284)
- msedge.exe (PID: 840)
Reads Microsoft Office registry keys
- TotallyNotAimmyV2.exe (PID: 6360)
- msedge.exe (PID: 840)
Application launched itself
- msedge.exe (PID: 840)
Reads Environment values
- identity_helper.exe (PID: 6948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2023:12:08 15:27:56 |
| ZipCRC: | 0x5784f8ff |
| ZipCompressedSize: | 72356 |
| ZipUncompressedSize: | 165862 |
| ZipFileName: | AimmyLauncher.exe |
Total processes
165
Monitored processes
50
Malicious processes
0
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 840 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.2&gui=true | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | TotallyNotAimmyV2.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1360 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4060 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1420 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=1520 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1716 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6884 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2064 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6328 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2064 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=6216 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2068 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6096 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2584 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2488 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2608 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5724 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 2876 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3648 --field-trial-handle=2492,i,8556416915290189830,1491288858945831295,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
15 627
Read events
15 496
Write events
128
Delete events
3
Modification events
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\AimmyV2.1.5.zip | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6808) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
21
Suspicious files
144
Text files
68
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\models\PhantomForces_Hamsta_v1.onnx | — | |
MD5:— | SHA256:— | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\models\Universal_Hamsta_v4.onnx | — | |
MD5:— | SHA256:— | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\dropdown.cfg | binary | |
MD5:A299260259D7F5F5D95124FCCA933260 | SHA256:DE3475C3315A6FABE07F1E37E5AC8C8007EDAB946C72F96ED33630FA8ECD751F | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\colors.cfg | binary | |
MD5:7EBCBC301AB4FBB3503B041D3FCB2DF5 | SHA256:58D719FEF5AF2CABFCC4C2F60DC8D98AD899E94A27FEA33245E16AD4F5B400C9 | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\configs\Default.cfg | binary | |
MD5:9CF7B6C406085DFBB03992F2FECE703D | SHA256:4965F889ED04FC3716961D36538F81ACFC05FE47EB6D33BE928F0FBE45227467 | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\bin\minimize.cfg | binary | |
MD5:584078DEF15682C4984CD4E4351253FD | SHA256:C9C2B8DE91FE8E0034B07C7EABCCE35977E6E8695453778F323FAF731CD896C5 | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\AimmyLauncher.exe | executable | |
MD5:1B61EDAED8B5543CD875D3D22A219947 | SHA256:F9B275CEF715B35CD5357B881BF2E62A22A6EA01A46F917CD2C072CDD2B3A18C | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\runtimes\win-x64\native\onnxruntime.dll | executable | |
MD5:B6FC1A8F648448DE0BD61A0E9ACDA2DF | SHA256:E268219A33CF3898C16AE364EFC79A4A656C87D2EE67FD872B079ACA769FD97E | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\runtimes\win-x86\native\onnxruntime.dll | executable | |
MD5:C729F190FC5E167957B6B2B5161C9311 | SHA256:9AAC6501125A2D3C32D0FB9595C94E373038B162FCA46207DD161645E09ED920 | |||
| 6808 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\DirectML.dll | executable | |
MD5:7982CE756C6E8C8F6BAB62EB1902B714 | SHA256:5AB77CC5DB8E1544D386FD28586598317DA8DCBEF098FB86D8D8A60E739E0E5D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
110
TCP/UDP connections
73
DNS requests
77
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | — | — | — |
— | — | GET | 301 | 52.170.7.25:443 | https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.2&gui=true | unknown | — | — | — |
— | — | OPTIONS | 200 | 23.48.23.26:443 | https://bzib.nelreports.net/api/report?cat=bingbusiness | unknown | — | — | — |
— | — | GET | 302 | 13.107.246.42:443 | https://dotnet.microsoft.com/get-dotnet/dotnet-core?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.2&gui=true | unknown | — | — | — |
— | — | GET | 302 | 13.107.246.45:443 | https://dotnet.microsoft.com/download/dotnet/8.0/runtime?cid=getdotnetcore&runtime=desktop&os=windows&arch=x64 | unknown | — | — | — |
— | — | GET | 302 | 13.107.246.45:443 | https://dotnet.microsoft.com/download/dotnet/thank-you/runtime-desktop-8.0.8-windows-x64-installer?cid=getdotnetcore | unknown | — | — | — |
— | — | GET | 304 | 204.79.197.239:443 | https://edge.microsoft.com/abusiveadblocking/api/v1/blocklist | unknown | — | — | — |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 735 b | — |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=Edge%2CEdgeConfig%2CEdgeServices%2CEdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=38&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 5.69 Kb | — |
— | — | POST | 200 | 23.48.23.51:443 | https://bzib.nelreports.net/api/report?cat=bingbusiness | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4324 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4016 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6164 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
840 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6164 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
6164 | msedge.exe | 13.107.6.158:443 | business.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
business.bing.com |
| whitelisted |
aka.ms |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |
bzib.nelreports.net |
| whitelisted |
dotnet.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
Threats
Process | Message |
|---|---|
AimmyLauncher.exe | You must install .NET to run this application.
App: C:\Users\admin\AppData\Local\Temp\Rar$EXa6808.3951\AimmyLauncher.exe
Architecture: x64
App host version: 7.0.14
.NET location: Not found
Learn about runtime installation:
https://aka.ms/dotnet/app-launch-failed
Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=7.0.14 |
AimmyLauncher.exe | You must install .NET to run this application.
App: C:\Users\admin\Desktop\AimmyLauncher.exe
Architecture: x64
App host version: 7.0.14
.NET location: Not found
Learn about runtime installation:
https://aka.ms/dotnet/app-launch-failed
Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=7.0.14 |
TotallyNotAimmyV2.exe | You must install .NET to run this application.
App: C:\Users\admin\Desktop\TotallyNotAimmyV2.exe
Architecture: x64
App host version: 8.0.2
.NET location: Not found
Learn more:
https://aka.ms/dotnet/app-launch-failed
Download the .NET runtime:
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win-x64&os=win10&apphost_version=8.0.2 |