Malware Analysis Report

2024-10-24 20:55

Sample ID 230615-nslypagc2y
Target AA_v3.5.exe
SHA256 6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20

Threat Level: Known bad

The file AA_v3.5.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-15 11:39

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-15 11:39

Reported

2023-06-15 11:42

Platform

win7-20230220-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595347c87e2536c0b16b C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 050c02851c7c86fcdf0c09424d7f47ba8dc27186aac9f0f2e8238c8e9e3bc071df37c422fe46efc2cc2a8b0686b01ac5390deb68f78534aab349f8aeba7a6723b6ce95aa C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 adf0d90734ede0cba8e5f7581c088c62
SHA1 dc581e6eac6b2d1b4924e8b69279427a1db8a38a
SHA256 28b1aaa5528b50237cf8e022e188fded30a954ea04ddafc36ec62ab3407bdc95
SHA512 34a820168c674c421a630b7b0307dc33d5b22059f22c45e6ee37a9e03fa654c943a6f26b16111777902e3db3337410b259105c7b9f8f5eca9dc20c1648841ced

C:\ProgramData\AMMYY\hr3

MD5 5b965065ad727ed4d2033672dd1a35bb
SHA1 fa53dc584ac476fbd044b2cd5504c5db8e0b8bd0
SHA256 472912da18ecc8fd1ed1d8ed716b0fd26dd9ddfbcfa225423856df73060ef159
SHA512 12ddabf3138fb704d60f3ee5e967e1243c395f18d3db2e08ead8447c2cf3077efebf03e098f00e3b3656dd0ab59bb33f78c533be383523865eff147bb4371ad4

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-15 11:39

Reported

2023-06-15 11:42

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253e9568f2236c0b16b C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c7b905851c7c86fcdf0c09424d7f593e0d0b7bc06cf93d9a2d6e6d6847d0ae92bcae3b6204345470ad67931130712b9d98ec9ccb438e84ca028b180126131a0e6e4795db C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 e6fe6521f6507ef81539c0d22fce6437
SHA1 3a381748901dcd39cc98aac4b2dcb1a3ba9044c8
SHA256 1673d897edeeb14eec50f09a35021c8127ebe4af0b462ff253163c72a0b9d32d
SHA512 d8279a0f58c00b59b49f83f2701c1b8dd4a5884f205ec308d9cdd1aad9744c80ad563765cf0dc51cb6da1f7f1b419a548aeb569e551b9f58fa3dfa46d14e2d48

C:\ProgramData\AMMYY\hr3

MD5 f667ef66cba5a000cd24a4dba26b6fd2
SHA1 d2c0dec32fc496a48366a06d0c45f636ef3e8855
SHA256 8ea778291b8e6c1a5229ae6e180ae7d308fcd870699763713161ccd5eb3f4b99
SHA512 ab15db313e77453b541c3415b1f5360646553adc83dbcd37ba8927bbcd6f7ea6c792f3f351c4acd79e21a1ffa0c7520737f88360aaca1cb8eec1659452e6a8fe