Malware Analysis Report

2024-10-24 20:54

Sample ID 230703-g75wsagc3s
Target AA_v3.5.exe
SHA256 0778c5742af8ce5cd562449ab529304434d3948f1c4fb68702824ae478844fc0
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0778c5742af8ce5cd562449ab529304434d3948f1c4fb68702824ae478844fc0

Threat Level: Known bad

The file AA_v3.5.exe was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

Ammyyadmin family

FlawedAmmyy RAT

AmmyyAdmin payload

Checks computer location settings

Drops file in System32 directory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-03 06:27

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-03 06:27

Reported

2023-07-03 06:30

Platform

win7-20230621-en

Max time kernel

150s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953e78c004f3ff2b16b C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 90e07713fac65a5b225592a3103972d85b8ded855010a6ba3e2580502f349dee30a3ae0c05f0ee58ea4d551cc2419acfe0e030713784f075399fabcc063858c10801a610 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 aaa83e46bf1bf64a7b6d583095562504
SHA1 25c13fb102ace5c91a4349baf4e0309028c8a81e
SHA256 161b757ee242b2b9510b6857ac944b378b30bb96bc677ff7279f2748f756eb9b
SHA512 0f4f8b2a557ed039f8e10a32f20ccc12d057701b791f374c3f55803410ff4b64d482f1976df3ab4a8fa4c201e1cb1c9d1729a463b7e85695f514ebfd52ab85c4

C:\ProgramData\AMMYY\hr3

MD5 767c30a2abee23fc8de6e55a0b814657
SHA1 8eeff64b1c208cbe94e96e87c5c2bac7df7f807d
SHA256 fc3f0c326116f698258d19c59e44905d455a3df3710234b2ede401c7d83c9e81
SHA512 7c5025cb0b32455461a0b5c0d51828efb59adebd7e156cce2b4c06e6b90f803459ff00ad01c38b4478bf999ef2a42406fd63590905fc85142156285784bac53b

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-03 06:27

Reported

2023-07-03 06:30

Platform

win10v2004-20230621-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e15525351ad9d4c3ff2b16b C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 2de8d209c8dd70ff541e03acc1eece1d499979d93548908ab1847129e8dc1c1e3b6aeac05ae8f023fe7ddf8a2801e49a9a963cf1f45fa85acb3371c80a9e702f0a409e45 C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 090ef684fd862129820caf4f835acadf
SHA1 d0bb3c614b4752b47ce1ecd108b8b768c7e25764
SHA256 c16e2f0f7b6a3549ec5a030233b90a9498cd024848c614d1ada64097ad045413
SHA512 c91aff90336594a2c828ad007f9f2b5ab16e5169541223a4472504df4262e263346bce27e99421198051dd635d550e7615ce52cdcb47cfd2463e16d7cdf579b5

C:\ProgramData\AMMYY\hr3

MD5 88b35de577f5303da8c4fcc0297554cb
SHA1 45396717f04b9a52a69896cbdea671041da70f02
SHA256 4de477963e7c285c5753f812d03fbe95b9c90623cea99f37b7372ffd4c7da1e2
SHA512 6f78a10c6e5d631c83ced53eecb609e12a3b0c852e61082454396b63c51a8bddcfb0903a2388394f797bb1bd3fb570e0a01c6bc83f35d95da21318c510fd0e23