Malware Analysis Report

2024-10-16 05:14

Sample ID 230402-lw48bsha6t
Target MDE_File_Sample_c6bff7857fdf33cbd8f052ef5d669675e5cf06f8.zip
SHA256 b50982f889255af6558b6ee07be5837049bb94297ff0c0db6d4670a9001916dc
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b50982f889255af6558b6ee07be5837049bb94297ff0c0db6d4670a9001916dc

Threat Level: Known bad

The file MDE_File_Sample_c6bff7857fdf33cbd8f052ef5d669675e5cf06f8.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-02 09:53

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-02 09:53

Reported

2023-04-02 09:55

Platform

win7-20230220-en

Max time kernel

87s

Max time network

75s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c617a12ebfad19310cca75e486e87ba329abf9dfc425dbaad506f70fcddd3b4a809036a1ce85ded300792874fc7b4b4971239bcca78dfd963c67bb2462a55b16ea45a5e1 C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953b7678aea113ab16b C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 e5278e4c0370b40e01b5ec1f126750dc
SHA1 9723ae1ead3ff58d4be65fd6e204decb6c732d6b
SHA256 6e52f6dda74495c3c70b6bd6f014f687cedebc1a31ed92125188e4343c33121d
SHA512 6063b2e5b3160bd90ce96f6588801ff8cd00911c373fca0d096c211a755e767914346e7f174a6faa0fa0667ae7f57c940781307faeb3910901c7e35c87f81eaa

C:\ProgramData\AMMYY\hr3

MD5 c6d8d4c241dcb68b5adf150cfbba2746
SHA1 716185d4c874b76f7dd855c1188f09332a76c2a6
SHA256 27e868dbac006706b6d9fd82612be17acfc1cd766cd60509fa64fb176e19d44a
SHA512 c39b722881ca2940b589e63e8c3cb1dda8636609926451f73af74b40d609e6ee132e4a15de955b5444584f84129825219770e677befb7b79ee765bb92e33986d

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-02 09:53

Reported

2023-04-02 09:55

Platform

win10v2004-20230220-en

Max time kernel

75s

Max time network

78s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ca5ec9eb113ab16b C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4bb6c53ff90d2fce5a6e109ff94cfa7514e415d8fa319e63575a8d17c35a2de3c2e024f6280e32a57b0307ddceec8a9e5c8e40c40a6cabcca70e221a9643413d918cac78 C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe

"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 95.101.143.243:443 assets.msn.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 243.143.101.95.in-addr.arpa udp
NL 52.178.17.3:443 tcp
US 8.8.8.8:5931 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr3

MD5 f1789982e79b3fe149b501889a50e521
SHA1 381bb7dfe4cdfaec28e93d5f810734b4f77dbc6c
SHA256 de9517ed720b42717b7bcd124ea29ad0d06f6bf421d7fd74ca24193adb97f1bf
SHA512 3a84610a60f0a47dea474ce9ce11f07ea961715beebe507d26e6185b2dcc40a467b6cb6dd049ddfddb23d54085515baa8899422f0660c2d16e04988399336320

C:\ProgramData\AMMYY\hr

MD5 70552ed892cbbc4fa0e597143bcd8b64
SHA1 138be0a48abcca4cf8467f728c0a1d0aa4b67a28
SHA256 ad285adc6573a78dc7887617676ba47be5f50e1227551fb1439a34aa255353ef
SHA512 e4a01ce4240f93f6aba0466f5d336d93e10d1bbc2c9b46e7c6d261e328e44e42358bda05be4d15e1081f089055e68be45c2fbb1220fc9e5c7bf55bb2c4403537