Analysis Overview
SHA256
0778c5742af8ce5cd562449ab529304434d3948f1c4fb68702824ae478844fc0
Threat Level: Known bad
The file AA_v3.5.exe was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
FlawedAmmyy RAT
AmmyyAdmin payload
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-03 06:27
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-03 06:27
Reported
2023-07-03 06:30
Platform
win7-20230621-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | aaa83e46bf1bf64a7b6d583095562504 |
| SHA1 | 25c13fb102ace5c91a4349baf4e0309028c8a81e |
| SHA256 | 161b757ee242b2b9510b6857ac944b378b30bb96bc677ff7279f2748f756eb9b |
| SHA512 | 0f4f8b2a557ed039f8e10a32f20ccc12d057701b791f374c3f55803410ff4b64d482f1976df3ab4a8fa4c201e1cb1c9d1729a463b7e85695f514ebfd52ab85c4 |
C:\ProgramData\AMMYY\hr3
| MD5 | 767c30a2abee23fc8de6e55a0b814657 |
| SHA1 | 8eeff64b1c208cbe94e96e87c5c2bac7df7f807d |
| SHA256 | fc3f0c326116f698258d19c59e44905d455a3df3710234b2ede401c7d83c9e81 |
| SHA512 | 7c5025cb0b32455461a0b5c0d51828efb59adebd7e156cce2b4c06e6b90f803459ff00ad01c38b4478bf999ef2a42406fd63590905fc85142156285784bac53b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-03 06:27
Reported
2023-07-03 06:30
Platform
win10v2004-20230621-en
Max time kernel
150s
Max time network
133s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe
"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume2\Rahman\Discoverer\Softwares\Remote connection softwares\AA_v3.5.exe"
Network
| Country | Destination | Domain | Proto |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 13.89.179.8:443 | tcp | |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 209.197.3.8:80 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 090ef684fd862129820caf4f835acadf |
| SHA1 | d0bb3c614b4752b47ce1ecd108b8b768c7e25764 |
| SHA256 | c16e2f0f7b6a3549ec5a030233b90a9498cd024848c614d1ada64097ad045413 |
| SHA512 | c91aff90336594a2c828ad007f9f2b5ab16e5169541223a4472504df4262e263346bce27e99421198051dd635d550e7615ce52cdcb47cfd2463e16d7cdf579b5 |
C:\ProgramData\AMMYY\hr3
| MD5 | 88b35de577f5303da8c4fcc0297554cb |
| SHA1 | 45396717f04b9a52a69896cbdea671041da70f02 |
| SHA256 | 4de477963e7c285c5753f812d03fbe95b9c90623cea99f37b7372ffd4c7da1e2 |
| SHA512 | 6f78a10c6e5d631c83ced53eecb609e12a3b0c852e61082454396b63c51a8bddcfb0903a2388394f797bb1bd3fb570e0a01c6bc83f35d95da21318c510fd0e23 |