Analysis Overview
SHA256
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
Threat Level: Known bad
The file AA_v3.5.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-15 11:39
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-15 11:39
Reported
2023-06-15 11:42
Platform
win7-20230220-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595347c87e2536c0b16b | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 050c02851c7c86fcdf0c09424d7f47ba8dc27186aac9f0f2e8238c8e9e3bc071df37c422fe46efc2cc2a8b0686b01ac5390deb68f78534aab349f8aeba7a6723b6ce95aa | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 920 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
| PID 920 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
| PID 920 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
| PID 920 wrote to memory of 1344 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | adf0d90734ede0cba8e5f7581c088c62 |
| SHA1 | dc581e6eac6b2d1b4924e8b69279427a1db8a38a |
| SHA256 | 28b1aaa5528b50237cf8e022e188fded30a954ea04ddafc36ec62ab3407bdc95 |
| SHA512 | 34a820168c674c421a630b7b0307dc33d5b22059f22c45e6ee37a9e03fa654c943a6f26b16111777902e3db3337410b259105c7b9f8f5eca9dc20c1648841ced |
C:\ProgramData\AMMYY\hr3
| MD5 | 5b965065ad727ed4d2033672dd1a35bb |
| SHA1 | fa53dc584ac476fbd044b2cd5504c5db8e0b8bd0 |
| SHA256 | 472912da18ecc8fd1ed1d8ed716b0fd26dd9ddfbcfa225423856df73060ef159 |
| SHA512 | 12ddabf3138fb704d60f3ee5e967e1243c395f18d3db2e08ead8447c2cf3077efebf03e098f00e3b3656dd0ab59bb33f78c533be383523865eff147bb4371ad4 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-15 11:39
Reported
2023-06-15 11:42
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253e9568f2236c0b16b | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c7b905851c7c86fcdf0c09424d7f593e0d0b7bc06cf93d9a2d6e6d6847d0ae92bcae3b6204345470ad67931130712b9d98ec9ccb438e84ca028b180126131a0e6e4795db | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 736 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
| PID 736 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
| PID 736 wrote to memory of 4364 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 52.242.101.226:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp | |
| US | 52.242.101.226:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | e6fe6521f6507ef81539c0d22fce6437 |
| SHA1 | 3a381748901dcd39cc98aac4b2dcb1a3ba9044c8 |
| SHA256 | 1673d897edeeb14eec50f09a35021c8127ebe4af0b462ff253163c72a0b9d32d |
| SHA512 | d8279a0f58c00b59b49f83f2701c1b8dd4a5884f205ec308d9cdd1aad9744c80ad563765cf0dc51cb6da1f7f1b419a548aeb569e551b9f58fa3dfa46d14e2d48 |
C:\ProgramData\AMMYY\hr3
| MD5 | f667ef66cba5a000cd24a4dba26b6fd2 |
| SHA1 | d2c0dec32fc496a48366a06d0c45f636ef3e8855 |
| SHA256 | 8ea778291b8e6c1a5229ae6e180ae7d308fcd870699763713161ccd5eb3f4b99 |
| SHA512 | ab15db313e77453b541c3415b1f5360646553adc83dbcd37ba8927bbcd6f7ea6c792f3f351c4acd79e21a1ffa0c7520737f88360aaca1cb8eec1659452e6a8fe |