ammyyadmin | c4c0df629f8dbb15bf56089c1bb1f31e4fcc485376ec771942a997bb1654ee9b

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
06-09-2023 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PaymentProofsigned_JC.exe
Size

8.0MB
MD5

302ed52d9459e06cc2d4b81de0e2295c
SHA1

73049a2f4f19b01adb05df3c3d073cb6066169e6
SHA256

c4c0df629f8dbb15bf56089c1bb1f31e4fcc485376ec771942a997bb1654ee9b
SHA512

12fcc7521996f39ea48025e5dc2932901797b537b85e2552b9029c13cfbdd220b2de7291b92907bc1bdb3dcb765f28a56ed338230befeb710ec2521a52c8d0c7
SSDEEP

196608:K2stp2jOusPS2pYOUL2SQppEvoLSS167JaOTp:GqO9S2uQ0voLSS16VaOt

Score

10^/10

ammyyadmin persistence rat

Malware Config

Signatures

Ammyy Admin
Remote admin tool with various capabilities.
rat ammyyadmin

AmmyyAdmin payload 6 IoCs

resource	yara_rule
behavioral2/memory/4516-48-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin
behavioral2/memory/3544-59-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin
behavioral2/memory/4516-64-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin
behavioral2/memory/3544-65-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin
behavioral2/memory/3544-78-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin
behavioral2/memory/3544-90-0x0000000000400000-0x0000000000715000-memory.dmp	family_ammyyadmin

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Control Panel\International\Geo\Nation	PaymentProofsigned_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
980	installer.exe
4516	EventAgentHost.exe
3544	EventAgentHost.exe

Loads dropped DLL 2 IoCs

pid	Process
4516	EventAgentHost.exe
3544	EventAgentHost.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\tmp7145.dat	cmd.exe
File opened for modification	C:\Windows\SysWOW64\tmp7145.dat	cmd.exe
File created	C:\Windows\SysWOW64\misc.props	cmd.exe
File opened for modification	C:\Windows\SysWOW64\misc.props	cmd.exe
File created	C:\Windows\SysWOW64\ExtXmlParser.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\ExtXmlParser.dll	cmd.exe
File created	C:\Windows\SysWOW64\EventAgentHost.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\EventAgentHost.exe	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4516	EventAgentHost.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3608	sc.exe
1480	sc.exe
2264	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
980	installer.exe
980	installer.exe
4516	EventAgentHost.exe
3544	EventAgentHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 980	336	PaymentProofsigned_JC.exe	85
PID 336 wrote to memory of 980	336	PaymentProofsigned_JC.exe	85
PID 336 wrote to memory of 980	336	PaymentProofsigned_JC.exe	85
PID 980 wrote to memory of 1520	980	installer.exe	87
PID 980 wrote to memory of 1520	980	installer.exe	87
PID 980 wrote to memory of 1520	980	installer.exe	87
PID 1520 wrote to memory of 3608	1520	cmd.exe	89
PID 1520 wrote to memory of 3608	1520	cmd.exe	89
PID 1520 wrote to memory of 3608	1520	cmd.exe	89
PID 1520 wrote to memory of 1480	1520	cmd.exe	90
PID 1520 wrote to memory of 1480	1520	cmd.exe	90
PID 1520 wrote to memory of 1480	1520	cmd.exe	90
PID 1520 wrote to memory of 2264	1520	cmd.exe	91
PID 1520 wrote to memory of 2264	1520	cmd.exe	91
PID 1520 wrote to memory of 2264	1520	cmd.exe	91
PID 4516 wrote to memory of 3544	4516	EventAgentHost.exe	93
PID 4516 wrote to memory of 3544	4516	EventAgentHost.exe	93
PID 4516 wrote to memory of 3544	4516	EventAgentHost.exe	93

C:\Users\Admin\AppData\Local\Temp\PaymentProofsigned_JC.exe
"C:\Users\Admin\AppData\Local\Temp\PaymentProofsigned_JC.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\ethtask.bat"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\sc.exe
      sc create EventAgentHost binpath= "C:\Windows\system32\EventAgentHost.exe -service" displayname= "Host Update Service" start= auto
      4⤵
      Launches sc.exe
      PID:3608
  - - C:\Windows\SysWOW64\sc.exe
      sc description EventAgentHost "Host Update Service"
      4⤵
      Launches sc.exe
      PID:1480
  - - C:\Windows\SysWOW64\sc.exe
      sc start EventAgentHost
      4⤵
      Launches sc.exe
      PID:2264

C:\Windows\SysWOW64\EventAgentHost.exe
C:\Windows\SysWOW64\EventAgentHost.exe -service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516
- C:\Windows\SysWOW64\EventAgentHost.exe
  "C:\Windows\SysWOW64\EventAgentHost.exe" -nogui
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:3544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ExtXmlParser.dll

Filesize
1.7MB

MD5
9186e3208a0d4c3ee327afd0c3d719eb

SHA1
f43d327cfdf4da39e8eebe7ee2b6c5440528a4b6

SHA256
f7c9fc5886ec887cf03ef346992628f56d94057e4660b2b9b274bc5ca7358985

SHA512
a1b257a4e31755c27e048b4d971ad93c6a720153a19812db0450771f42c7fa159ace85e2229cfe560a9d49853a13e9384feba0f4e17cdc60ab112cd77301c026

Download Submit
C:\Users\Admin\AppData\Local\Temp\data.dat

Filesize
6.2MB

MD5
501986b978e63ac2b297b49d6f809568

SHA1
9b1ecb7efe5c5a7d976cbe8e03a361f6f15c8343

SHA256
debd856a57d6048f7111cc9b39a2ccb44ea3753b27897fdb4e0138cf062e0ed9

SHA512
0f7daac38fffdc8ed912d6aec3d48956eff575eb9d5160e7fb1d5aa5cad8f51ee8a42ce2eec9ac59cff5097dac300d1c7d437b83dd7e59167fb9c60518473903

Download Submit
C:\Users\Admin\AppData\Local\Temp\ethtask.bat

Filesize
916B

MD5
02d386f64024268840c84bfc50ce9760

SHA1
6c7ae78f611673d19f8a628f00f8bccd897c82b7

SHA256
bbec5ce7ac2de3427c406906c783d77924ffc857374cd748d4b239c837ff5953

SHA512
9845c41111b115f340aae844e22fd1551417a0b83da6106d0fd7d036b9ebe7430bcebf316f09f440fad51a8a0f252039a7091f843cbb09582ec81bbf12487082

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe

Filesize
3.1MB

MD5
7562f6a1e0ba970080cd1e1c4524a9ee

SHA1
264b49819220d29a1feaabea9829e76152ad9394

SHA256
3ddd8fed86ac6d569dd140956119c8545b3dcbafa238fa3e3da175ac7ec3bdca

SHA512
a0e9674933585aadd85d59ffd7ea42bafdc87b21f9431b69b671b3e63567ec459c9cc7f7d79dd84a86cbb38a89619f67a07edc3d2941873147d143318dfb3fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe

Filesize
3.1MB

MD5
7562f6a1e0ba970080cd1e1c4524a9ee

SHA1
264b49819220d29a1feaabea9829e76152ad9394

SHA256
3ddd8fed86ac6d569dd140956119c8545b3dcbafa238fa3e3da175ac7ec3bdca

SHA512
a0e9674933585aadd85d59ffd7ea42bafdc87b21f9431b69b671b3e63567ec459c9cc7f7d79dd84a86cbb38a89619f67a07edc3d2941873147d143318dfb3fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\installer.exe

Filesize
3.1MB

MD5
7562f6a1e0ba970080cd1e1c4524a9ee

SHA1
264b49819220d29a1feaabea9829e76152ad9394

SHA256
3ddd8fed86ac6d569dd140956119c8545b3dcbafa238fa3e3da175ac7ec3bdca

SHA512
a0e9674933585aadd85d59ffd7ea42bafdc87b21f9431b69b671b3e63567ec459c9cc7f7d79dd84a86cbb38a89619f67a07edc3d2941873147d143318dfb3fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mfcabout.exe

Filesize
3.0MB

MD5
47a093406c16fefa42eeae03465e8ddc

SHA1
04dd1675d0f46e656a2b8ae7b121996b32844915

SHA256
95bdae7c070e9b1b700f2bf882744344bb86e4a71a376608b6a7b3e01acedb55

SHA512
b95f8da0f4e3ca3a42a84022b7cb89ab16442201401bb517314edd66d836c7edb5961510fb5e4c5c265709e5569252859a5db8d0fa82f86ed7b7033ad8fb3d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\misc.props

Filesize
940KB

MD5
60c4500a0069e139e701995d864b0840

SHA1
7b355d9d1d2699c62d5aa91d6ad5ccb4a97bf448

SHA256
f2020ec9c44c699ce52b8aeaee5365863e895944da5186502ac47983853f3922

SHA512
e33c8b262de57bab76fffb53f97f98fd77df0c0148aaa3ef74a107f756a81d85e0b2b7af2163471e9bbec21ab60b634eec5f5b12fa8d0becaa8a68e423fdfd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7145.dat

Filesize
62B

MD5
290ac86873e89cb5106adea2f06ca1e7

SHA1
d8c7b15eba803b778e947fd0d9941c77fd52854f

SHA256
3427a33ce4301ffbc6bb5108ca7727974170bd6d53005538801847918de407d3

SHA512
f46887bba95af258dcb7c50a5ec4dd6b1795de3be411ebd1e56d890e3137153fbee2c76e8a62922f9ee1c4f39c67d763b5be475eebdfdb457ebe85e8e1e9b619

Download Submit
C:\Windows\SysWOW64\EventAgentHost.exe

Filesize
3.0MB

MD5
47a093406c16fefa42eeae03465e8ddc

SHA1
04dd1675d0f46e656a2b8ae7b121996b32844915

SHA256
95bdae7c070e9b1b700f2bf882744344bb86e4a71a376608b6a7b3e01acedb55

SHA512
b95f8da0f4e3ca3a42a84022b7cb89ab16442201401bb517314edd66d836c7edb5961510fb5e4c5c265709e5569252859a5db8d0fa82f86ed7b7033ad8fb3d39

Download Submit
C:\Windows\SysWOW64\EventAgentHost.exe

Filesize
3.0MB

MD5
47a093406c16fefa42eeae03465e8ddc

SHA1
04dd1675d0f46e656a2b8ae7b121996b32844915

SHA256
95bdae7c070e9b1b700f2bf882744344bb86e4a71a376608b6a7b3e01acedb55

SHA512
b95f8da0f4e3ca3a42a84022b7cb89ab16442201401bb517314edd66d836c7edb5961510fb5e4c5c265709e5569252859a5db8d0fa82f86ed7b7033ad8fb3d39

Download Submit
C:\Windows\SysWOW64\EventAgentHost.exe

Filesize
3.0MB

MD5
47a093406c16fefa42eeae03465e8ddc

SHA1
04dd1675d0f46e656a2b8ae7b121996b32844915

SHA256
95bdae7c070e9b1b700f2bf882744344bb86e4a71a376608b6a7b3e01acedb55

SHA512
b95f8da0f4e3ca3a42a84022b7cb89ab16442201401bb517314edd66d836c7edb5961510fb5e4c5c265709e5569252859a5db8d0fa82f86ed7b7033ad8fb3d39

Download Submit
C:\Windows\SysWOW64\ExtXmlParser.dll

Filesize
1.7MB

MD5
9186e3208a0d4c3ee327afd0c3d719eb

SHA1
f43d327cfdf4da39e8eebe7ee2b6c5440528a4b6

SHA256
f7c9fc5886ec887cf03ef346992628f56d94057e4660b2b9b274bc5ca7358985

SHA512
a1b257a4e31755c27e048b4d971ad93c6a720153a19812db0450771f42c7fa159ace85e2229cfe560a9d49853a13e9384feba0f4e17cdc60ab112cd77301c026

Download Submit
C:\Windows\SysWOW64\ExtXmlParser.dll

Filesize
1.7MB

MD5
9186e3208a0d4c3ee327afd0c3d719eb

SHA1
f43d327cfdf4da39e8eebe7ee2b6c5440528a4b6

SHA256
f7c9fc5886ec887cf03ef346992628f56d94057e4660b2b9b274bc5ca7358985

SHA512
a1b257a4e31755c27e048b4d971ad93c6a720153a19812db0450771f42c7fa159ace85e2229cfe560a9d49853a13e9384feba0f4e17cdc60ab112cd77301c026

Download Submit
C:\Windows\SysWOW64\ExtXmlParser.dll

Filesize
1.7MB

MD5
9186e3208a0d4c3ee327afd0c3d719eb

SHA1
f43d327cfdf4da39e8eebe7ee2b6c5440528a4b6

SHA256
f7c9fc5886ec887cf03ef346992628f56d94057e4660b2b9b274bc5ca7358985

SHA512
a1b257a4e31755c27e048b4d971ad93c6a720153a19812db0450771f42c7fa159ace85e2229cfe560a9d49853a13e9384feba0f4e17cdc60ab112cd77301c026

Download Submit
C:\Windows\SysWOW64\misc.props

Filesize
940KB

MD5
60c4500a0069e139e701995d864b0840

SHA1
7b355d9d1d2699c62d5aa91d6ad5ccb4a97bf448

SHA256
f2020ec9c44c699ce52b8aeaee5365863e895944da5186502ac47983853f3922

SHA512
e33c8b262de57bab76fffb53f97f98fd77df0c0148aaa3ef74a107f756a81d85e0b2b7af2163471e9bbec21ab60b634eec5f5b12fa8d0becaa8a68e423fdfd6d

Download Submit
C:\Windows\SysWOW64\tmp7145.dat

Filesize
62B

MD5
290ac86873e89cb5106adea2f06ca1e7

SHA1
d8c7b15eba803b778e947fd0d9941c77fd52854f

SHA256
3427a33ce4301ffbc6bb5108ca7727974170bd6d53005538801847918de407d3

SHA512
f46887bba95af258dcb7c50a5ec4dd6b1795de3be411ebd1e56d890e3137153fbee2c76e8a62922f9ee1c4f39c67d763b5be475eebdfdb457ebe85e8e1e9b619

Download Submit
C:\Windows\Temp\GPUCache\80tmp\TCD8F2783.tmp

Filesize
315B

MD5
55eff1ba7ab82272d72f87b51960d4c4

SHA1
4592e8d357911827971938e934df558414df5bd7

SHA256
5809747f9dd70c08f287c068af4551c93dbe50e010606f617ccf058299fde06b

SHA512
9c09c0a1a429118ad85259a723c42e46ad7c4af82f66612c00d0cb0df5c6ca9f2c9532eafab320f023f7acb62d1e8fe42d6e4c63ca9c0d8f69ba454ec628efcf

Download Submit
memory/3544-59-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/3544-65-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/3544-78-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/3544-90-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/4516-48-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download
memory/4516-45-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4516-39-0x0000000010000000-0x0000000010030000-memory.dmp

Filesize
192KB

Download
memory/4516-64-0x0000000000400000-0x0000000000715000-memory.dmp

Filesize
3.1MB

Download