Malware Analysis Report

2024-10-24 20:55

Sample ID 230703-g75wsagc21
Target AA_v3.5.exe
SHA256 d40612998412aab4203e0fcb372a77110d851f4dd05ed19714187c518c6983ab
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d40612998412aab4203e0fcb372a77110d851f4dd05ed19714187c518c6983ab

Threat Level: Known bad

The file AA_v3.5.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

FlawedAmmyy RAT

Ammyyadmin family

Checks computer location settings

Drops file in System32 directory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-03 06:27

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-03 06:27

Reported

2023-07-03 06:30

Platform

win7-20230621-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419557010-3639509551-242374962-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f73fc94d3ff2b16b C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 9822129f26ba988ab4cd9fbcfeb1b718497b12c8af55a2fd9c2fccf836ee9b47ab42adbb9a564acfdddc17b061532586a1297be2c224accf50a83709423b8e2bbf09b3f5 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 edc78883b0c6f8b4067613814ece8c1d
SHA1 7284bf4e565930ec6d04c9bef45fe03a83745219
SHA256 228c1e8840d05f133ed9b49fdd12d5958f78a8af244b3ee6a13daa514505d76a
SHA512 ddd479882fc79eec5685acbda83a4ccd308eada96eb0359741edf442d9af5586511908e907a3795a6d0bea6a9538d46e1901e0b2bdb120f50f46d44f27edac4a

C:\ProgramData\AMMYY\hr3

MD5 6ff74a1430e717a590bff4d881aaa871
SHA1 3b9f1f47b53721482050f54767f539137ce07d5b
SHA256 178b029169300c629d6b5dcb6dd95bff9657d25345f8fc0edfc1006df4ad79fd
SHA512 afc38add0726c14deb8d8dffbca65cc73b291dbbb57d409de686a56d46464b9fa7adcbf01eae8860831830539ad480faef8de6d9cd3d5a2c4983701eada02674

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-03 06:27

Reported

2023-07-03 06:30

Platform

win10v2004-20230621-en

Max time kernel

151s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552539599574f3ff2b16b C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b0703d68f1a89bd846995d246e41a95dcdfed32451bb092699a9c56c0da9dae808fdddc3cc39c6430659462611437fba67bd3401efff81da483f6bfa9d0678ed85a6bb3f C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Shared_Document\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
NL 95.101.74.148:443 www.bing.com tcp
NL 95.101.74.148:443 www.bing.com tcp
NL 95.101.74.148:443 www.bing.com tcp
US 8.8.8.8:53 148.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr3

MD5 1c2317867950c4b3d1a11a28e2cfcd82
SHA1 2d6a339fb9cf7ae87258f9cd0f7043341ffae748
SHA256 b7aacd30c61f525df2b2683a0bcab426bcb7d016c8cf1ee768b885ac9bc7bc3e
SHA512 a07537506776e249c185b253cb82282d0704f70491539caa904f0c0d5a265adbe0d77c68fc40b8452f29d7a5cc5f6ffa6dfb433f625c92af0bd96941bf1072fe

C:\ProgramData\AMMYY\hr

MD5 ac323403c9d8a31f4ec297b46e96eb3f
SHA1 81954c74cd9de3c0ecb5db7c35f220af7ae3ecc2
SHA256 a62fb87bb81fe6779565b5f9a83e90d83f5852e7b1a42312f0183aac425507aa
SHA512 3bad9c20155d653d0e94685bcdaa407c2c296c7f5e93b33c83c3aef197086bfebce01a00f9caa6ae18bcc9d82d0c097321f8fcdc0a564463e8f69eb37748dc95