Analysis Overview
SHA256
d40612998412aab4203e0fcb372a77110d851f4dd05ed19714187c518c6983ab
Threat Level: Known bad
The file AA_v3.5.exe was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
FlawedAmmyy RAT
Ammyyadmin family
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-03 06:27
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-03 06:27
Reported
2023-07-03 06:30
Platform
win7-20230621-en
Max time kernel
150s
Max time network
144s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | edc78883b0c6f8b4067613814ece8c1d |
| SHA1 | 7284bf4e565930ec6d04c9bef45fe03a83745219 |
| SHA256 | 228c1e8840d05f133ed9b49fdd12d5958f78a8af244b3ee6a13daa514505d76a |
| SHA512 | ddd479882fc79eec5685acbda83a4ccd308eada96eb0359741edf442d9af5586511908e907a3795a6d0bea6a9538d46e1901e0b2bdb120f50f46d44f27edac4a |
C:\ProgramData\AMMYY\hr3
| MD5 | 6ff74a1430e717a590bff4d881aaa871 |
| SHA1 | 3b9f1f47b53721482050f54767f539137ce07d5b |
| SHA256 | 178b029169300c629d6b5dcb6dd95bff9657d25345f8fc0edfc1006df4ad79fd |
| SHA512 | afc38add0726c14deb8d8dffbca65cc73b291dbbb57d409de686a56d46464b9fa7adcbf01eae8860831830539ad480faef8de6d9cd3d5a2c4983701eada02674 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-03 06:27
Reported
2023-07-03 06:30
Platform
win10v2004-20230621-en
Max time kernel
151s
Max time network
135s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| NL | 95.101.74.148:443 | www.bing.com | tcp |
| NL | 95.101.74.148:443 | www.bing.com | tcp |
| NL | 95.101.74.148:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 148.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr3
| MD5 | 1c2317867950c4b3d1a11a28e2cfcd82 |
| SHA1 | 2d6a339fb9cf7ae87258f9cd0f7043341ffae748 |
| SHA256 | b7aacd30c61f525df2b2683a0bcab426bcb7d016c8cf1ee768b885ac9bc7bc3e |
| SHA512 | a07537506776e249c185b253cb82282d0704f70491539caa904f0c0d5a265adbe0d77c68fc40b8452f29d7a5cc5f6ffa6dfb433f625c92af0bd96941bf1072fe |
C:\ProgramData\AMMYY\hr
| MD5 | ac323403c9d8a31f4ec297b46e96eb3f |
| SHA1 | 81954c74cd9de3c0ecb5db7c35f220af7ae3ecc2 |
| SHA256 | a62fb87bb81fe6779565b5f9a83e90d83f5852e7b1a42312f0183aac425507aa |
| SHA512 | 3bad9c20155d653d0e94685bcdaa407c2c296c7f5e93b33c83c3aef197086bfebce01a00f9caa6ae18bcc9d82d0c097321f8fcdc0a564463e8f69eb37748dc95 |