ammyyadmin | 7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066

Analysis

max time kernel
158s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20/10/2022, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe
Size

1016KB
MD5

772d79fe2b7df4b0334920e1b29d8f00
SHA1

cef1953d61603d9da4297f55436e41529a4ef4ed
SHA256

7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066
SHA512

e2dd50a3d8ea7963a5ae5ed52433497daca235b1d5403640b596297064cb3757ff911f289f3e608f494596c2ebcdceecba558cf5c82dce9d1a60972add566d49
SSDEEP

24576:nTOpdDcQiOEDE9QE5C5kSYJiCJ6WAUk8g0rG1RSatmYC:TuiXoQE05kliCJkUPgBma0YC

Score

10^/10

ammyyadmin flawedammyy rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022f4b-146.dat	family_ammyyadmin
behavioral2/files/0x0006000000022f4b-145.dat	family_ammyyadmin
behavioral2/files/0x0006000000022f4b-147.dat	family_ammyyadmin
behavioral2/files/0x0006000000022f4b-149.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Executes dropped EXE 5 IoCs

pid	Process
4976	3.exe
2148	1.exe
204	AA_v3.4.exe
3532	AA_v3.4.exe
3932	AA_v3.4.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	3.exe

Loads dropped DLL 1 IoCs

pid	Process
2148	1.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	AA_v3.4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	AA_v3.4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	AA_v3.4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	AA_v3.4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	AA_v3.4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	AA_v3.4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin	AA_v3.4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552538f882bfae2bab06b	AA_v3.4.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = ab12fadb8aab90214452f9e5c020e7b4a51af62837118988fc0839b6b58d8744c95f33c7c974a2f054042b0be5a50983c780bcb83e44cac7c504095846751c03c1bc61db	AA_v3.4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	AA_v3.4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin	AA_v3.4.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	AA_v3.4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Ammyy	AA_v3.4.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Extracted\¯3:5b5Ú5676K6ß6}7›7~8Ä8Z9l9‘9×9ñ9::[:>;>G>0?J?Ö?	3.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3932	AA_v3.4.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3932	AA_v3.4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 4976	2080	7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe	81
PID 2080 wrote to memory of 4976	2080	7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe	81
PID 2080 wrote to memory of 4976	2080	7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe	81
PID 4976 wrote to memory of 2148	4976	3.exe	82
PID 4976 wrote to memory of 2148	4976	3.exe	82
PID 4976 wrote to memory of 2148	4976	3.exe	82
PID 4976 wrote to memory of 204	4976	3.exe	85
PID 4976 wrote to memory of 204	4976	3.exe	85
PID 4976 wrote to memory of 204	4976	3.exe	85
PID 3532 wrote to memory of 3932	3532	AA_v3.4.exe	87
PID 3532 wrote to memory of 3932	3532	AA_v3.4.exe	87
PID 3532 wrote to memory of 3932	3532	AA_v3.4.exe	87

C:\Users\Admin\AppData\Local\Temp\7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe
"C:\Users\Admin\AppData\Local\Temp\7b49ac2b5020f6d02c41647c8520690a172ff0c7e1f372e47342520fc1ab7066.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Extracted\1.exe
    "C:\Extracted\1.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2148
- - C:\Extracted\AA_v3.4.exe
    "C:\Extracted\AA_v3.4.exe"
    3⤵
    - Executes dropped EXE
    PID:204

C:\Extracted\AA_v3.4.exe
"C:\Extracted\AA_v3.4.exe" -service -lunch
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Extracted\AA_v3.4.exe
  "C:\Extracted\AA_v3.4.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Extracted\1.exe

Filesize
108KB

MD5
dc11ca871b0aa63cde7337769aede4ac

SHA1
86e8fdff848d7948d928b7b1d9352b802fe26c42

SHA256
36dfcd39af0ad2ebcde1c7b480ec4ff7001f47e80280cf6f7e2a65e303bdd79e

SHA512
de90cc015c0850084890c1c47651092cfe996f3dc07fcb7b56e09c15d90bc006ba51b2b4e1513e302dfa446c7bf8da01d90b8623a49a5956122b9e2dbc0a2e70

Download Submit
C:\Extracted\1.exe

Filesize
108KB

MD5
dc11ca871b0aa63cde7337769aede4ac

SHA1
86e8fdff848d7948d928b7b1d9352b802fe26c42

SHA256
36dfcd39af0ad2ebcde1c7b480ec4ff7001f47e80280cf6f7e2a65e303bdd79e

SHA512
de90cc015c0850084890c1c47651092cfe996f3dc07fcb7b56e09c15d90bc006ba51b2b4e1513e302dfa446c7bf8da01d90b8623a49a5956122b9e2dbc0a2e70

Download Submit
C:\Extracted\AA_v3.4.exe

Filesize
726KB

MD5
190785b2bb664324334c1b5231b5c4b0

SHA1
07539abb2623fe24b9a05e240f675fa2d15268cb

SHA256
4731517b198414342891553881913565819509086b8154214462788c740b34c9

SHA512
ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

Download Submit
C:\Extracted\AA_v3.4.exe

Filesize
726KB

MD5
190785b2bb664324334c1b5231b5c4b0

SHA1
07539abb2623fe24b9a05e240f675fa2d15268cb

SHA256
4731517b198414342891553881913565819509086b8154214462788c740b34c9

SHA512
ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

Download Submit
C:\Extracted\AA_v3.4.exe

Filesize
726KB

MD5
190785b2bb664324334c1b5231b5c4b0

SHA1
07539abb2623fe24b9a05e240f675fa2d15268cb

SHA256
4731517b198414342891553881913565819509086b8154214462788c740b34c9

SHA512
ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

Download Submit
C:\Extracted\AA_v3.4.exe

Filesize
726KB

MD5
190785b2bb664324334c1b5231b5c4b0

SHA1
07539abb2623fe24b9a05e240f675fa2d15268cb

SHA256
4731517b198414342891553881913565819509086b8154214462788c740b34c9

SHA512
ab40f182fb52e5281f0761cf064a7f4b82ea04a2c9c00fe6faa4e61f8e632b8c7a64820e226b2ab668c99ada195c1ca117b702474bd023d84991a16dd10ba85c

Download Submit
C:\Extracted\HVMRuntm.dll

Filesize
648KB

MD5
929b2ea6cd68191cd0efe321bd772d1f

SHA1
af5ed2721b1b330894b3428b9b5e0ebd4f364a8c

SHA256
2e8ffe0c7397a0f19133b6167d4193c61d063f38633c735979b6b9c47f4600f4

SHA512
895b16a1f77c49256fe39a00d81ee95094345a7926b0597d8c62f5725ddff86e881747bad719729ff4c4bb46298ec2ff3a2ea4e3d9b2a473b4c916b3e2900b9a

Download Submit
C:\Extracted\HVMRuntm.dll

Filesize
648KB

MD5
929b2ea6cd68191cd0efe321bd772d1f

SHA1
af5ed2721b1b330894b3428b9b5e0ebd4f364a8c

SHA256
2e8ffe0c7397a0f19133b6167d4193c61d063f38633c735979b6b9c47f4600f4

SHA512
895b16a1f77c49256fe39a00d81ee95094345a7926b0597d8c62f5725ddff86e881747bad719729ff4c4bb46298ec2ff3a2ea4e3d9b2a473b4c916b3e2900b9a

Download Submit
C:\ProgramData\AMMYY\hr

Filesize
22B

MD5
dc4ae61379cb129a467982dc03d812cf

SHA1
aa2c9bc04ed90a2c4c6a7bab16f3b8a8ae6a31b1

SHA256
5a3123b294ac447505556acee66324933bd6e81f870b54b8b2a1adbb5c4035a7

SHA512
00d99a8f6f907f849e0648082a1d47b28707e6ed85485d0b5cb5a8af2a35055242f7ffd80478256030c9ca04bfe81dd6e873d0db151bc0436d39d1b4948d5aa8

Download Submit
C:\ProgramData\AMMYY\hr3

Filesize
68B

MD5
5fad5dde5dae07e6a2a8a5d3a508d314

SHA1
d1455037071f70249bd37151a41ad32959602aad

SHA256
24e1bb06c192399de1d7a79685a24cc08c9afe5b169fe30297c26ef85498f9f7

SHA512
40ee215740f2cb69a64d0fddf229cec44f189be2e4c2898823bc6c0a4c93fa6f0a2ce49d8f4149811278a807c8e76ea95cc164942291813c99556a419b5a21af

Download Submit
C:\ProgramData\AMMYY\settings3.bin

Filesize
271B

MD5
4cb889e527b0d0781a17f6c2dd968129

SHA1
6a6a55cd5604370660f1c1ad1025195169be8978

SHA256
2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b

SHA512
297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3.exe

Filesize
972KB

MD5
97b03c75129701b8c3516adf05ced127

SHA1
d1838ccc993dc535f62b60523c182c47b3648f5a

SHA256
11f82d2e7bebd23efa036237631e002700312dc2e585d9dece67a068f5590be8

SHA512
e29e2626b434fbbd6c67afaef9f433d2c691911109caaa4e1c0e52b044bb819149f8b6a8bb314eb059d1d656682dc872be7cd9d72c5b1d45fcb5013f9fbec21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\3.exe

Filesize
972KB

MD5
97b03c75129701b8c3516adf05ced127

SHA1
d1838ccc993dc535f62b60523c182c47b3648f5a

SHA256
11f82d2e7bebd23efa036237631e002700312dc2e585d9dece67a068f5590be8

SHA512
e29e2626b434fbbd6c67afaef9f433d2c691911109caaa4e1c0e52b044bb819149f8b6a8bb314eb059d1d656682dc872be7cd9d72c5b1d45fcb5013f9fbec21e

Download Submit
memory/2148-143-0x0000000073740000-0x0000000073CF1000-memory.dmp

Filesize
5.7MB

Download
memory/2148-142-0x0000000072B40000-0x0000000072B9B000-memory.dmp

Filesize
364KB

Download
memory/2148-141-0x0000000072B40000-0x0000000072B9B000-memory.dmp

Filesize
364KB

Download
memory/2148-138-0x0000000073740000-0x0000000073CF1000-memory.dmp

Filesize
5.7MB

Download