ammyyadmin | 75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1

Analysis

max time kernel
190s
max time network
187s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26/11/2022, 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe
Size

634KB
MD5

b1c16565af7e34889353faf43c827ef6
SHA1

d9938c3c0a8d24ff3f9bdc1eebe063e6a052aa3c
SHA256

75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1
SHA512

85945ec722dd0b487f01c0ac5b2c77a30fc967faedadfa9d0fca5299d0154c6eace9afa529c59920eccad3b5617e23f5ed16ccec24d5aeb8bb7dd8dbfa40b767
SSDEEP

12288:zqSEbve3Gd+6iJZ0ICKiyKmODbX+B/HeDc4isyHW73VBXv:zqVms0ZL3qT+yc2CQV9

Score

10^/10

ammyyadmin flawedammyy evasion persistence rat trojan

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 7 IoCs

resource	yara_rule
behavioral1/files/0x00070000000134d5-76.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-82.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-83.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-85.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-89.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-90.dat	family_ammyyadmin
behavioral1/files/0x00070000000134d5-92.dat	family_ammyyadmin

FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
trojan flawedammyy

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	1472	WScript.exe

Executes dropped EXE 3 IoCs

pid	Process
1732	2.exe
1956	System.exe
1996	System.exe

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Modify Existing Service

T1031

pid	Process
556	netsh.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1158

pid	Process
320	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	System.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Loads dropped DLL 5 IoCs

pid	Process
568	cmd.exe
668	cmd.exe
668	cmd.exe
668	cmd.exe
668	cmd.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\sys = "C:\\Users\\Admin\\AppData\\Roaming\\Win32\\System.exe -nogui"	reg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
1768	timeout.exe
1588	timeout.exe
1668	timeout.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
996	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 836 wrote to memory of 2028	836	75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe	27
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 2028 wrote to memory of 568	2028	WScript.exe	29
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 568 wrote to memory of 1732	568	cmd.exe	31
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1732 wrote to memory of 1460	1732	2.exe	32
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 1460 wrote to memory of 668	1460	WScript.exe	34
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 320	668	cmd.exe	35
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 556	668	cmd.exe	36
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1520	668	cmd.exe	38
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1956	668	cmd.exe	39
PID 668 wrote to memory of 1768	668	cmd.exe	40

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
320	attrib.exe

C:\Users\Admin\AppData\Local\Temp\75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe
"C:\Users\Admin\AppData\Local\Temp\75a28c02aa1bb752bd2d4705507dd2eeae9a815b0184f1167af2779d4d0b78f1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:836
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\123.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\test.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\2.exe
      2.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1732
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\WINDOW~1\i.vbs"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\test.bat" "
        6⤵
        Deletes itself
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:668
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\ProgramData\AMMYY"
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:320
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Allow Example" dir=in action=allow program="C:\Users\Admin\AppData\Roaming\Win32\System.exe"
        7⤵
        Modifies Windows Firewall
        
        PID:556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "sys" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Win32\System.exe -nogui" /f
        7⤵
        Adds Run key to start application
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Win32\System.exe
        
        System.exe -nogui
        7⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:1956
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 9 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Win32\System.exe
        
        System.exe -outid
        7⤵
        Executes dropped EXE
        
        PID:1996
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:1588
        
        C:\Windows\SysWOW64\mode.com
        
        mode con codepage select=1251
        7⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\.vbs"
        7⤵
        Blocklisted process makes network request
        
        PID:1472
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 6 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:1668

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\123.vbs

Filesize
99B

MD5
92f78455b1085f191ca5a2b4f0a81312

SHA1
e963fa0cadab9e06f741b0f9fd4f745033e1f427

SHA256
d9f50c60870d60c4b732ecca47a77b6e1e3090edcfb9b648530f3279e5e56932

SHA512
28bc1ab63f406c2e5e70a5696bae21cf8812426dc20dd7a3f78a8812dc25e112e83a405f955b4098942704390e1cc42dd64fa36b390f569e66a4fef5038c3512

Download Submit
C:\Users\Admin\2.exe

Filesize
561KB

MD5
ebd4810da1ea4bc9b586d1de0b3c1188

SHA1
4ee81dc8c4e83914bb43453690c0e7a9d9d3e1b4

SHA256
09da1faf7392ddae601db926f40fa9d497dd12bc9115ea8bdb1f6039a4aa0371

SHA512
ba5b2fce577e94f6fc107d353388936979bfd6626fdde181d2c764ff0882bce393ffc22b3cac908616baac8ab19eb8d211f5b6830ee9ac526f8056c1d140f6ba

Download Submit
C:\Users\Admin\2.jpg

Filesize
561KB

MD5
ebd4810da1ea4bc9b586d1de0b3c1188

SHA1
4ee81dc8c4e83914bb43453690c0e7a9d9d3e1b4

SHA256
09da1faf7392ddae601db926f40fa9d497dd12bc9115ea8bdb1f6039a4aa0371

SHA512
ba5b2fce577e94f6fc107d353388936979bfd6626fdde181d2c764ff0882bce393ffc22b3cac908616baac8ab19eb8d211f5b6830ee9ac526f8056c1d140f6ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\.vbs

Filesize
1KB

MD5
932fa8a33c77e05abf8c7518d3bee0f5

SHA1
236e2246f493415a7ff9874636cdacdf3093ebae

SHA256
858a552d71450c9973a43762b16162468ebfc1925f2ffc1355bb3cabc566f4fd

SHA512
38f4ccb463665529b9d7e3881f080895501f3deaf6498a421a62008f7c4e678dc7e512cb891a113247a1fb96fdf4529ef889b116ddb7e0bc8b5d14070c332020

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOW~1\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOW~1\i.vbs

Filesize
77B

MD5
c0fc978a5efb03779ca8d408d13a39e4

SHA1
8f49dfc1ae88c140c88cf60399fbee20a90f3d5c

SHA256
9dc0dd2285050016a871651b0ec82fc2776ec11993d6b66bb93e0ea986c95290

SHA512
de9a16d558897efecd21f4c9151961b5698124a2d010401f9a7a44ae246e1ce4dde408ba0f5bd073650941ac97e6accae526547e9639028aafaa3e190ef23e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WINDOW~1\settings3.bin

Filesize
333B

MD5
a7afff6ee10e014c0858ee30e39688c4

SHA1
930c18d6ffcc84e46616bdb0ae810a51bf7eff7e

SHA256
d756299b91a6e90644a1078d1c10bf60a859a2fc125c487e24ffd2f248509b6d

SHA512
d432b5f88f0e1c8fb1fc1203e144b736665cb657f6afdbac31cfd713d3a4dc9ca755edc974e5482133831dc5603357eca6d2bb3dec95757c5e17df1d84d99e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate\test.bat

Filesize
39KB

MD5
c9d6b50951a62f32a3199bcd7075671c

SHA1
509c434700dc3b6b0b57624b7ae0edcf610fcc48

SHA256
c31ec49f1c788760bf920d631413d542fbde1b432ffd5d21e08c8c749c76a4e2

SHA512
1a52cc7c5cdef70c21d758e43ced0a994b76d4c43d4b7bfc10e156cd8e4d33c6e516d81c0a95980843892ddee1df475facd6d156b3eff58241d47c920d38d929

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
C:\Users\Admin\AppData\Roaming\Win32\sysfl_nf.log

Filesize
21B

MD5
e546fcefda5d522d0e8de13b368785c9

SHA1
b466f0b7dde91faee99915676de7aa9cafc3b2ca

SHA256
3dda2b393cb58e1a11d43bb4f383df1ae625824749c54363e12b08c2782c7ebf

SHA512
c754bf01a8b298f1bb242069dd2045de0bbf30fb74d0a89bd907bb7601a5a319c37547e9cb499a021a045a400305bf8409d54215351b0bf7eb5a51b3720ea34e

Download Submit
C:\Users\Admin\hqdefault.jpg

Filesize
12KB

MD5
a0a8fb705cc8071e3a27c87d58a3ba8a

SHA1
cdad9073df130274071404495fd9ed3d6a3dd1c5

SHA256
92da2ad10e7363e05f18c5c0f955fdf51d8ecb72d18a1accdeb0e5616e3a2eda

SHA512
e3f4fab58879c6e4ed875262467af4d95334f19b84996bcf2f8dbe6cac4bcf60f92025833254c19597b469b24ca1facd7d70a7ad81dca5ba04ab8dd1b0cce8af

Download Submit
C:\Users\Admin\test.bat

Filesize
28B

MD5
df5865875c266e32a5636fe831efbe69

SHA1
0685f945feff1da69f7fb0b71c93bcd2aa505877

SHA256
45d635a132a6acdc6cdf9904b5774a52691ac1ac819039584ed5a57865d7d1de

SHA512
04c48931ec52ad000fc8566e7a35f6b25c7981387d08ec20c1ff24242bf0f03d7d31f99e4e18d0b26a74384e8a731372708446ee40cf2d782acf2e2e3627634f

Download Submit
\Users\Admin\2.exe

Filesize
561KB

MD5
ebd4810da1ea4bc9b586d1de0b3c1188

SHA1
4ee81dc8c4e83914bb43453690c0e7a9d9d3e1b4

SHA256
09da1faf7392ddae601db926f40fa9d497dd12bc9115ea8bdb1f6039a4aa0371

SHA512
ba5b2fce577e94f6fc107d353388936979bfd6626fdde181d2c764ff0882bce393ffc22b3cac908616baac8ab19eb8d211f5b6830ee9ac526f8056c1d140f6ba

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
\Users\Admin\AppData\Roaming\Win32\System.exe

Filesize
708KB

MD5
d36eedff4ed4a532cfa0f24424be04fd

SHA1
616de03d0715b46f9f1fb297e55b70b9fd1d0922

SHA256
7b3b03f230e67d0873b9a7906aa0f0eaaee190ee21773df0a896c00cea749136

SHA512
ecd9c2ff8e7c9c508b1060a5ab76acd65fdd1df49dad566b76b4c048878207d7914f4003ffe4b62085a367d4a6a30c5cb5e478dd13619b3153e163f35289bb6e

Download Submit
memory/836-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads