ammyyadmin | bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191

Analysis

max time kernel
124s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25/11/2022, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe
Size

740KB
MD5

9dfde97c1c4405efdd8a5251a616f62d
SHA1

5b9fec92714726fa5d2fa88169aaec702ac53516
SHA256

bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191
SHA512

e23a0605deabbfa40943e85f1c6759e9ebe1da3b7c16d75fdd32369f6bc1841b76042e4ad9ad18b48ad03d0edf811a4d94e66f89d0f8619f198c4253ba40047b
SSDEEP

12288:YyxUcfH81ctJ32+xC6NOPNWjIZT1XOzmhr8jrQ5/lGsU9kKARBCs4vuQHFo7MY8f:ocectp2+xC6NOPNWjIjOzmhirQ5/lG/7

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 6 IoCs

resource	yara_rule
behavioral1/files/0x0007000000013a31-62.dat	family_ammyyadmin
behavioral1/files/0x0007000000013a31-66.dat	family_ammyyadmin
behavioral1/files/0x0007000000013a31-67.dat	family_ammyyadmin
behavioral1/files/0x0007000000013a31-69.dat	family_ammyyadmin
behavioral1/files/0x0007000000013a31-72.dat	family_ammyyadmin
behavioral1/files/0x0007000000013a31-74.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Blocklisted process makes network request 2 IoCs

flow	pid	Process
17	1512	WScript.exe
18	1512	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
1744	System.exe
964	System.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1756	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
1468	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	System.exe

Deletes itself 1 IoCs

pid	Process
1988	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
1988	cmd.exe
1988	cmd.exe
1988	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Win32\\System.exe -nogui"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
900	timeout.exe
1784	timeout.exe
768	timeout.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	System.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	System.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	System.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 2008	1816	bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe	27
PID 1816 wrote to memory of 2008	1816	bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe	27
PID 1816 wrote to memory of 2008	1816	bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe	27
PID 1816 wrote to memory of 2008	1816	bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe	27
PID 2008 wrote to memory of 1988	2008	WScript.exe	28
PID 2008 wrote to memory of 1988	2008	WScript.exe	28
PID 2008 wrote to memory of 1988	2008	WScript.exe	28
PID 2008 wrote to memory of 1988	2008	WScript.exe	28
PID 1988 wrote to memory of 1468	1988	cmd.exe	30
PID 1988 wrote to memory of 1468	1988	cmd.exe	30
PID 1988 wrote to memory of 1468	1988	cmd.exe	30
PID 1988 wrote to memory of 1468	1988	cmd.exe	30
PID 1988 wrote to memory of 1756	1988	cmd.exe	31
PID 1988 wrote to memory of 1756	1988	cmd.exe	31
PID 1988 wrote to memory of 1756	1988	cmd.exe	31
PID 1988 wrote to memory of 1756	1988	cmd.exe	31
PID 1988 wrote to memory of 820	1988	cmd.exe	32
PID 1988 wrote to memory of 820	1988	cmd.exe	32
PID 1988 wrote to memory of 820	1988	cmd.exe	32
PID 1988 wrote to memory of 820	1988	cmd.exe	32
PID 1988 wrote to memory of 1744	1988	cmd.exe	33
PID 1988 wrote to memory of 1744	1988	cmd.exe	33
PID 1988 wrote to memory of 1744	1988	cmd.exe	33
PID 1988 wrote to memory of 1744	1988	cmd.exe	33
PID 1988 wrote to memory of 1784	1988	cmd.exe	34
PID 1988 wrote to memory of 1784	1988	cmd.exe	34
PID 1988 wrote to memory of 1784	1988	cmd.exe	34
PID 1988 wrote to memory of 1784	1988	cmd.exe	34
PID 1988 wrote to memory of 964	1988	cmd.exe	37
PID 1988 wrote to memory of 964	1988	cmd.exe	37
PID 1988 wrote to memory of 964	1988	cmd.exe	37
PID 1988 wrote to memory of 964	1988	cmd.exe	37
PID 1988 wrote to memory of 768	1988	cmd.exe	38
PID 1988 wrote to memory of 768	1988	cmd.exe	38
PID 1988 wrote to memory of 768	1988	cmd.exe	38
PID 1988 wrote to memory of 768	1988	cmd.exe	38
PID 1988 wrote to memory of 1040	1988	cmd.exe	39
PID 1988 wrote to memory of 1040	1988	cmd.exe	39
PID 1988 wrote to memory of 1040	1988	cmd.exe	39
PID 1988 wrote to memory of 1040	1988	cmd.exe	39
PID 1988 wrote to memory of 1512	1988	cmd.exe	40
PID 1988 wrote to memory of 1512	1988	cmd.exe	40
PID 1988 wrote to memory of 1512	1988	cmd.exe	40
PID 1988 wrote to memory of 1512	1988	cmd.exe	40
PID 1988 wrote to memory of 900	1988	cmd.exe	41
PID 1988 wrote to memory of 900	1988	cmd.exe	41
PID 1988 wrote to memory of 900	1988	cmd.exe	41
PID 1988 wrote to memory of 900	1988	cmd.exe	41

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1468	attrib.exe

C:\Users\Admin\AppData\Local\Temp\bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe
"C:\Users\Admin\AppData\Local\Temp\bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\test.bat" "
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +h "C:\ProgramData\AMMYY"
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:1468
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="Allow Example" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Win32\System.exe"
      4⤵
      Modifies Windows Firewall
      PID:1756
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Win32\System.exe -nogui" /f
      4⤵
      Adds Run key to start application
      PID:820
  - - C:\Users\Admin\AppData\Roaming\Win32\System.exe
      System.exe -nogui
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies system certificate store
      PID:1744
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 8 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:1784
  - - C:\Users\Admin\AppData\Roaming\Win32\System.exe
      System.exe -outid
      4⤵
      Executes dropped EXE
      PID:964
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 2 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:768
  - - C:\Windows\SysWOW64\mode.com
      mode con codepage select=1251
      4⤵
      PID:1040
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
      4⤵
      Blocklisted process makes network request
      PID:1512
  - - C:\Windows\SysWOW64\timeout.exe
      TIMEOUT /T 6 /NOBREAK
      4⤵
      Delays execution with timeout.exe
      PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AMMYY\settings3.bin

Filesize
317B

MD5
d1aeca79efc1e96d211ef528abb2f646

SHA1
d65b74d19ee4dd426d4a5a966cd081e4146f9508

SHA256
ea490b800999e5a5d25e31bd0efd63328d1eadcc626e447d59eff13bfe089f0b

SHA512
ecb2781594983c61f7342c17e018041f21e2caa3a9ecc858d0a57ee9f7acbacae9780b6935edc9068949f1ae3c05230a6e185cada8b1d5a3b78abebf29241d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6aa6657a6695579610e2db9d482cb69

SHA1
cac5b9a000d9c06760b7658271fa0f3eafdcd295

SHA256
4ec4274c265087e32231ba28a7eeed19f4244fcaf65e0265389a93cd9486c2e9

SHA512
816fc46a003303a88a352e21a0a11ff0e2199e1070dab087e4433ae03e79cae7827c9da4b7efd85c53c62999b5b4058a51a500e18febcdadff4181308018d6bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.vbs

Filesize
1KB

MD5
1855f6e51516d65bfe33549a40e23229

SHA1
d41e8c65a1d1378753baf748a4523f318b2c6fcd

SHA256
83f75f556bd99ce65b95aa2ba526d538e65f39bdfb380de1c6486a087084d572

SHA512
b6ac8b77153b570eb072d6b23187d4e0f122cf2c72a5f4dec4d855437f33b027b6ce53c43bf50a1110ab350170b833a8e519e2b37ca1a1e2c6543abd7e9f4851

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\i.vbs

Filesize
77B

MD5
c0fc978a5efb03779ca8d408d13a39e4

SHA1
8f49dfc1ae88c140c88cf60399fbee20a90f3d5c

SHA256
9dc0dd2285050016a871651b0ec82fc2776ec11993d6b66bb93e0ea986c95290

SHA512
de9a16d558897efecd21f4c9151961b5698124a2d010401f9a7a44ae246e1ce4dde408ba0f5bd073650941ac97e6accae526547e9639028aafaa3e190ef23e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\settings3.bin

Filesize
317B

MD5
476e6370ddc584ebf4fc2aad3de038aa

SHA1
0ef57d3317c68a230989e6b9ba23794e77061294

SHA256
d3da0de4beaaaf89c3341e0e3b1d27990a9496564aceed572cb4d320db40589f

SHA512
234627880f735e455bb874e907e748400fb214a6713c10c7a3ad25d922fa789b8793016e07d1678f5cb1163795f8101bb61992fc37dee2e60cecbf1ba8da6d79

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.bat

Filesize
41KB

MD5
d4f6d8c0a70a97cd726e297f5ff2b148

SHA1
ade8f8dc8d7549bcd61eb73b4ad7ed92b34dcf24

SHA256
a5f2f78a7ada708129c8a1af914ca11ae0be8b5c98efff7495b17b10f9b1822f

SHA512
ded53f16ea7ed8531955b23b2045de95c79a648d68b21bcee1a2ccd147621aa87d5380b096b5724aef09bb27c6ed77936c693f610f667d2fdb70e533c802cef5

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\sys32_nt.log

Filesize
85B

MD5
163c7e0b92d9a0a714a08e32b330aa6d

SHA1
dac967a465b6deac25140aed2f8e756ad6aff0a2

SHA256
bae9e61e0662802e5a4f635772227a264aefaca8aba2ee83cd3bbd05bdfe3368

SHA512
ea6139b0d46240fd26d91f58fea0b3cf498e357c0a15154a83b3ee3d6d7fa2322a64f587be54b16ce1fb0a3519d7dc8d0464ee9322de9077dfa1a400cd78aba7

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
9b34adfcf984d89b4a7a0128ea3ea600

SHA1
a24e7fc71e9fa491488aab1d1bb04a600821708c

SHA256
75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

SHA512
4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

Download Submit
memory/1816-54-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads