Analysis Overview
SHA256
b50982f889255af6558b6ee07be5837049bb94297ff0c0db6d4670a9001916dc
Threat Level: Known bad
The file MDE_File_Sample_c6bff7857fdf33cbd8f052ef5d669675e5cf06f8.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-02 09:53
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-02 09:53
Reported
2023-04-02 09:55
Platform
win7-20230220-en
Max time kernel
87s
Max time network
75s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = c617a12ebfad19310cca75e486e87ba329abf9dfc425dbaad506f70fcddd3b4a809036a1ce85ded300792874fc7b4b4971239bcca78dfd963c67bb2462a55b16ea45a5e1 | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953b7678aea113ab16b | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2016 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
| PID 2016 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
| PID 2016 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
| PID 2016 wrote to memory of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | e5278e4c0370b40e01b5ec1f126750dc |
| SHA1 | 9723ae1ead3ff58d4be65fd6e204decb6c732d6b |
| SHA256 | 6e52f6dda74495c3c70b6bd6f014f687cedebc1a31ed92125188e4343c33121d |
| SHA512 | 6063b2e5b3160bd90ce96f6588801ff8cd00911c373fca0d096c211a755e767914346e7f174a6faa0fa0667ae7f57c940781307faeb3910901c7e35c87f81eaa |
C:\ProgramData\AMMYY\hr3
| MD5 | c6d8d4c241dcb68b5adf150cfbba2746 |
| SHA1 | 716185d4c874b76f7dd855c1188f09332a76c2a6 |
| SHA256 | 27e868dbac006706b6d9fd82612be17acfc1cd766cd60509fa64fb176e19d44a |
| SHA512 | c39b722881ca2940b589e63e8c3cb1dda8636609926451f73af74b40d609e6ee132e4a15de955b5444584f84129825219770e677befb7b79ee765bb92e33986d |
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-02 09:53
Reported
2023-04-02 09:55
Platform
win10v2004-20230220-en
Max time kernel
75s
Max time network
78s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ca5ec9eb113ab16b | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4bb6c53ff90d2fce5a6e109ff94cfa7514e415d8fa319e63575a8d17c35a2de3c2e024f6280e32a57b0307ddceec8a9e5c8e40c40a6cabcca70e221a9643413d918cac78 | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3728 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
| PID 3728 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
| PID 3728 wrote to memory of 1660 | N/A | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe | C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe
"C:\Users\Admin\AppData\Local\Temp\AlphaZackCosmos.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.33.253.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| GB | 95.101.143.243:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 243.143.101.95.in-addr.arpa | udp |
| NL | 52.178.17.3:443 | tcp | |
| US | 8.8.8.8:5931 | tcp | |
| US | 8.8.8.8:53 | 73.254.224.20.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr3
| MD5 | f1789982e79b3fe149b501889a50e521 |
| SHA1 | 381bb7dfe4cdfaec28e93d5f810734b4f77dbc6c |
| SHA256 | de9517ed720b42717b7bcd124ea29ad0d06f6bf421d7fd74ca24193adb97f1bf |
| SHA512 | 3a84610a60f0a47dea474ce9ce11f07ea961715beebe507d26e6185b2dcc40a467b6cb6dd049ddfddb23d54085515baa8899422f0660c2d16e04988399336320 |
C:\ProgramData\AMMYY\hr
| MD5 | 70552ed892cbbc4fa0e597143bcd8b64 |
| SHA1 | 138be0a48abcca4cf8467f728c0a1d0aa4b67a28 |
| SHA256 | ad285adc6573a78dc7887617676ba47be5f50e1227551fb1439a34aa255353ef |
| SHA512 | e4a01ce4240f93f6aba0466f5d336d93e10d1bbc2c9b46e7c6d261e328e44e42358bda05be4d15e1081f089055e68be45c2fbb1220fc9e5c7bf55bb2c4403537 |