Malware Analysis Report

2024-10-24 20:55

Sample ID 230615-nsm6ragc22
Target AA39_55.exe
SHA256 e682ea6f18a526c3f0d8e7b6f3673b05e8e211a29fe3274423756d4731289224
Tags
flawedammyy trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e682ea6f18a526c3f0d8e7b6f3673b05e8e211a29fe3274423756d4731289224

Threat Level: Known bad

The file AA39_55.exe was found to be: Known bad.

Malicious Activity Summary

flawedammyy trojan ammyyadmin

Ammyyadmin family

FlawedAmmyy RAT

AmmyyAdmin payload

Checks computer location settings

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-15 11:39

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-15 11:39

Reported

2023-06-15 11:42

Platform

win7-20230220-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4fe92555c3a89bd846ec5c00966bbe46c3fecdc9fe4a299b6ce4fc0440a4393625f89efd7f8ea7eeec5618550ccd3ec013830903c6d49ca6ee864dfdf469f5c1e9f8a2960e C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 acsm.ru udp
RU 77.106.252.188:80 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\settings3.bin

MD5 8411a75a1e371db9594e9943e3c6c850
SHA1 575abe26802724d1436d6083ff17802bc66a793c
SHA256 1a621d89ef9377869faf8c6bf1af7e6a370d12054f21ecdeb9ba266815929d10
SHA512 b83f349899a9c4a99a50120d5d55a6d4ded9373db3dbf26a24abf4e80254a1119483ec00d0fb58b13ade78a868705b5f55cfc829ffc12082a54e7111c34c1fc3

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-15 11:39

Reported

2023-06-15 11:42

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = c6b7b322b342d05050eb5e1807896173d91ba225c97b9f63575a8daf1e3d9c924cc0b58861c3fa7173f0f27c8a00a8b5070677475ed2c04e828a18ade2106af9c2bf78bf29 C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA39_55.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA39_55.exe

"C:\Users\Admin\AppData\Local\Temp\AA39_55.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.22.238.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 acsm.ru udp
RU 77.106.252.188:80 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 188.252.106.77.in-addr.arpa udp
SG 20.43.150.84:443 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 233.141.123.20.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 52.152.110.14:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 33.146.190.20.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 93.184.221.240:80 tcp
US 40.125.122.151:443 tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 acsm.ru udp
RU 77.106.252.188:48654 acsm.ru tcp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 68.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
RU 77.106.252.188:48654 acsm.ru tcp

Files

C:\Users\Admin\AppData\Local\Temp\settings3.bin

MD5 8411a75a1e371db9594e9943e3c6c850
SHA1 575abe26802724d1436d6083ff17802bc66a793c
SHA256 1a621d89ef9377869faf8c6bf1af7e6a370d12054f21ecdeb9ba266815929d10
SHA512 b83f349899a9c4a99a50120d5d55a6d4ded9373db3dbf26a24abf4e80254a1119483ec00d0fb58b13ade78a868705b5f55cfc829ffc12082a54e7111c34c1fc3