Overview

overview

10

Static

static

bbb5187f0f...91.exe

windows7-x64

10

bbb5187f0f...91.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/11/2022, 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe

  • Size

    740KB

  • MD5

    9dfde97c1c4405efdd8a5251a616f62d

  • SHA1

    5b9fec92714726fa5d2fa88169aaec702ac53516

  • SHA256

    bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191

  • SHA512

    e23a0605deabbfa40943e85f1c6759e9ebe1da3b7c16d75fdd32369f6bc1841b76042e4ad9ad18b48ad03d0edf811a4d94e66f89d0f8619f198c4253ba40047b

  • SSDEEP

    12288:YyxUcfH81ctJ32+xC6NOPNWjIZT1XOzmhr8jrQ5/lGsU9kKARBCs4vuQHFo7MY8f:ocectp2+xC6NOPNWjIjOzmhirQ5/lG/7

Score
10/10
ammyyadminflawedammyyevasionpersistencerattrojan

Malware Config

Signatures

  • Ammyy Admin

    Remote admin tool with various capabilities.

    ratammyyadmin
  • AmmyyAdmin payload 3 IoCs
  • FlawedAmmyy RAT

    Remote-access trojan based on leaked code for the Ammyy remote admin software.

    trojanflawedammyy
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Modifies Windows Firewall 1 TTPs 1 IoCs
    evasion
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe
    "C:\Users\Admin\AppData\Local\Temp\bbb5187f0f20cad7fea514455706b922fca707775e7884cd5e8fc798052a1191.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4716
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\i.vbs"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\test.bat" "
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3560
        • C:\Windows\SysWOW64\attrib.exe
          attrib +s +h "C:\ProgramData\AMMYY"
          4⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:4128
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall firewall add rule name="Allow Example" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Win32\System.exe"
          4⤵
          • Modifies Windows Firewall
          PID:388
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Win32\System.exe -nogui" /f
          4⤵
          • Adds Run key to start application
          PID:3304
        • C:\Users\Admin\AppData\Roaming\Win32\System.exe
          System.exe -nogui
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          PID:4840
        • C:\Windows\SysWOW64\timeout.exe
          TIMEOUT /T 8 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:3476
        • C:\Users\Admin\AppData\Roaming\Win32\System.exe
          System.exe -outid
          4⤵
          • Executes dropped EXE
          PID:1520
        • C:\Windows\SysWOW64\timeout.exe
          TIMEOUT /T 2 /NOBREAK
          4⤵
          • Delays execution with timeout.exe
          PID:4044
        • C:\Windows\SysWOW64\mode.com
          mode con codepage select=1251
          4⤵
            PID:4920
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
            4⤵
            • Blocklisted process makes network request
            PID:520
          • C:\Windows\SysWOW64\timeout.exe
            TIMEOUT /T 6 /NOBREAK
            4⤵
            • Delays execution with timeout.exe
            PID:5068

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\AMMYY\settings3.bin
      Filesize

      317B

      MD5

      e3b626d1f97503beec5ac9c4541337c0

      SHA1

      815025955a524c38861f7bc72630d760d28e2723

      SHA256

      1cc8233f97fedb1ddb08498145d9eee876fd08943d29dc6bda4deabd37f6d0c4

      SHA512

      8752f5030edece591fbb365ee4089f9a8fd9e36c1505527c7f624a8ca20d034ae2a7447f35444734b621cf15d179c6c2a29b0498950d214f154d6ad9b300e810

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\.vbs
      Filesize

      1KB

      MD5

      1855f6e51516d65bfe33549a40e23229

      SHA1

      d41e8c65a1d1378753baf748a4523f318b2c6fcd

      SHA256

      83f75f556bd99ce65b95aa2ba526d538e65f39bdfb380de1c6486a087084d572

      SHA512

      b6ac8b77153b570eb072d6b23187d4e0f122cf2c72a5f4dec4d855437f33b027b6ce53c43bf50a1110ab350170b833a8e519e2b37ca1a1e2c6543abd7e9f4851

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\System.exe
      Filesize

      708KB

      MD5

      9b34adfcf984d89b4a7a0128ea3ea600

      SHA1

      a24e7fc71e9fa491488aab1d1bb04a600821708c

      SHA256

      75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

      SHA512

      4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\i.vbs
      Filesize

      77B

      MD5

      c0fc978a5efb03779ca8d408d13a39e4

      SHA1

      8f49dfc1ae88c140c88cf60399fbee20a90f3d5c

      SHA256

      9dc0dd2285050016a871651b0ec82fc2776ec11993d6b66bb93e0ea986c95290

      SHA512

      de9a16d558897efecd21f4c9151961b5698124a2d010401f9a7a44ae246e1ce4dde408ba0f5bd073650941ac97e6accae526547e9639028aafaa3e190ef23e8d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\settings3.bin
      Filesize

      317B

      MD5

      476e6370ddc584ebf4fc2aad3de038aa

      SHA1

      0ef57d3317c68a230989e6b9ba23794e77061294

      SHA256

      d3da0de4beaaaf89c3341e0e3b1d27990a9496564aceed572cb4d320db40589f

      SHA512

      234627880f735e455bb874e907e748400fb214a6713c10c7a3ad25d922fa789b8793016e07d1678f5cb1163795f8101bb61992fc37dee2e60cecbf1ba8da6d79

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\test.bat
      Filesize

      41KB

      MD5

      d4f6d8c0a70a97cd726e297f5ff2b148

      SHA1

      ade8f8dc8d7549bcd61eb73b4ad7ed92b34dcf24

      SHA256

      a5f2f78a7ada708129c8a1af914ca11ae0be8b5c98efff7495b17b10f9b1822f

      SHA512

      ded53f16ea7ed8531955b23b2045de95c79a648d68b21bcee1a2ccd147621aa87d5380b096b5724aef09bb27c6ed77936c693f610f667d2fdb70e533c802cef5

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32\System.exe
      Filesize

      708KB

      MD5

      9b34adfcf984d89b4a7a0128ea3ea600

      SHA1

      a24e7fc71e9fa491488aab1d1bb04a600821708c

      SHA256

      75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

      SHA512

      4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32\System.exe
      Filesize

      708KB

      MD5

      9b34adfcf984d89b4a7a0128ea3ea600

      SHA1

      a24e7fc71e9fa491488aab1d1bb04a600821708c

      SHA256

      75985dbf928cf823d5c269020a9dd46c489ef209e642792256aab7220457f57e

      SHA512

      4dcd8b5d000c168e661bb02bad34497fbdcfac9b8e157bf603d69df4c1f5260fe07b7666d3fce1910194971908f00de8bf5ad3f59731cf0e2e7f8e0be32ddb6e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Win32\sys32_nt.log
      Filesize

      85B

      MD5

      5247618d018f0f12b2f8f80049241b2d

      SHA1

      561ee0c3e4a1309f21c988d1cd53a41115ea4696

      SHA256

      435b4e2786044b43cbcf721ec6fa47ace3c8d0863273d53e58f59497ad8db700

      SHA512

      f5d9c40f11fa3aae76cb0704e8154813d632180475733b95fda8a8cef9606aadd1c78319465bed1cb837f5f5a713ea4ac70a59c6fed496279d32e332146ad2a4

      Download Submit