Analysis Overview
SHA256
6f2258383b92bfaf425f49fc7a5901bfa97a334de49ce015cf65396125c13d20
Threat Level: Known bad
The file 03920799.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-06-15 12:29
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-06-15 12:29
Reported
2023-06-15 12:31
Platform
win7-20230220-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059532775e432cdc0b16b | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 331e5a25c9b7a2343eb05738993014f4b822e1f734eaa944abbb81098eacca0442f5a060c2f7c1a79929996463b343a36db920f1f45f288f21271414419f112fc28a5864 | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1992 wrote to memory of 1424 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
| PID 1992 wrote to memory of 1424 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
| PID 1992 wrote to memory of 1424 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
| PID 1992 wrote to memory of 1424 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | ab4704336751783ee23024e9c66297a3 |
| SHA1 | 4e1ebbd27fcd5d3fad83d81e9829ba303b5eced5 |
| SHA256 | 83bf5940f6f00b4f1b8bffea2ce12c178f39f10376a507d152e4009392025171 |
| SHA512 | 0b6d55175f9d298278ebbdbca5f151453e306c67c212b0f4d9e1c17ddd4390322935e21b7dfcca4cef6fdf7829388c426809aa25a9ca6ba32fa9fd79fe34b4cc |
C:\ProgramData\AMMYY\hr3
| MD5 | 1c8878490a89e54c9f76fe825df1871e |
| SHA1 | 8195988e9538cccf50dbae9f68178bcdeb1a92f7 |
| SHA256 | 28b5f435e5d01dbbd9052f0cf9312b89d5fe77a7cef5d3d594c028e67cbb67fc |
| SHA512 | f7e35532729c6406e60d7f46b9f5592deb9578abfe6266317bbbafca05ca4038b9f700e147f5c7300cdb7e6861329e7c73bb289084f692820db8c8e1e0f8e0dc |
Analysis: behavioral2
Detonation Overview
Submitted
2023-06-15 12:29
Reported
2023-06-15 12:31
Platform
win10v2004-20230220-en
Max time kernel
150s
Max time network
138s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 42698c23db3f538207b65f120737f12cf3a30566a57d7537e97e2cdfb4e925ac447106316002c90a2fc8163a0a8e9d559d4a7020c746e0e1b92186e0f5d5074346dad197 | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253cc9b9c32cdc0b16b | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 556 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
| PID 556 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
| PID 556 wrote to memory of 4768 | N/A | C:\Users\Admin\AppData\Local\Temp\03920799.exe | C:\Users\Admin\AppData\Local\Temp\03920799.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\03920799.exe
"C:\Users\Admin\AppData\Local\Temp\03920799.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 136.243.104.235:80 | tcp | |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 40.125.122.151:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| IE | 20.50.73.11:443 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| NL | 8.238.21.126:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 131.253.33.203:80 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 42b10a86aa904b33e2925e35f349360f |
| SHA1 | e568a206b97f7956b4bb97bd6063b6d5a7362d8e |
| SHA256 | d8b0cdcedaabfd418fd18bfcff14113a1e05c17c818e92f6ae42980ed3b4100b |
| SHA512 | f2f89da9e612a132da3a18b651f25680d26a63c98f517360d25b6f1e6bdd7ff159b93b360d157738e7f782029d1ccd9a6641308c75c6888cbc7a4dd32004bddc |
C:\ProgramData\AMMYY\hr3
| MD5 | 2a1889442ba91fc1362b1167f9a140fc |
| SHA1 | ec5edd167f528acc1a98bd19a764aef57bb5017c |
| SHA256 | a246bfc5fe0072dd0a59c499cd10287e2e4ece532193a96d4c9d5fd02aae243d |
| SHA512 | 36481e00afc7c4c48d0dc7a3eba2dab2a4519afeb62ce89c691ae977db95efd7d758e74eabeb8a3be5af8386048118058c6cebc3a9bcc81f3b0b35f75dc0a1d2 |