Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 02:29
Behavioral task
behavioral1
Sample
AMMYY_Admin.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
AMMYY_Admin.exe
Resource
win10v2004-20230915-en
General
-
Target
AMMYY_Admin.exe
-
Size
651KB
-
MD5
b730e7b8f3eebd51dc21d7997313b890
-
SHA1
57ef7a2d07f3703f84c1d7ad33e34e550d23a6fa
-
SHA256
e4a87095c27219afe9c7a3cb01c13de899e201d2340748a5fc446207c8f99b2a
-
SHA512
05e87e0ac0e6c097cec3e3801c66752f1a69bd3f8b732062b16596fd4e46388e66eb2e4455ede69769dad62cb7a063849cc2199c140c6ba6a498173eaafe051d
-
SSDEEP
12288:caA9OKLSwaIN5U8xvFoRQMEoO2rx8ikfRtjIe9rtv8zl6mi/gQ:AkK+waI8JRQMEJ2rufRtse9rtv8zlBi3
Malware Config
Signatures
-
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AMMYY_Admin.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation AMMYY_Admin.exe -
Drops file in System32 directory 12 IoCs
Processes:
AMMYY_Admin.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5037AC1E573F140500110A0B67548B5E AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5037AC1E573F140500110A0B67548B5E AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 AMMYY_Admin.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE AMMYY_Admin.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
AMMYY_Admin.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AMMYY_Admin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix AMMYY_Admin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" AMMYY_Admin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AMMYY_Admin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AMMYY_Admin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AMMYY_Admin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AMMYY_Admin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AMMYY_Admin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" AMMYY_Admin.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
AMMYY_Admin.exedescription pid Process Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe Token: SeBackupPrivilege 4428 AMMYY_Admin.exe Token: SeRestorePrivilege 4428 AMMYY_Admin.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AMMYY_Admin.exepid Process 4428 AMMYY_Admin.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AMMYY_Admin.exepid Process 4428 AMMYY_Admin.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
AMMYY_Admin.exedescription pid Process procid_target PID 4844 wrote to memory of 4428 4844 AMMYY_Admin.exe 89 PID 4844 wrote to memory of 4428 4844 AMMYY_Admin.exe 89 PID 4844 wrote to memory of 4428 4844 AMMYY_Admin.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"1⤵PID:1452
-
C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe" -service -lunch1⤵
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"C:\Users\Admin\AppData\Local\Temp\AMMYY_Admin.exe"2⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4428
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
76B
MD5090bba5cbe9cd62189310f633f14d686
SHA10ce1d78aace04650b0c592665686a89412c1771c
SHA2567bc48188bbd0ad1b7ac10257e6a8fc5327f2ccfd56402a4353f6d8ef26eb0ff8
SHA512846781bdb4d8902963f1859077c8db4c763fdd4ca28f0be83b95c20d324b5db030f312fc3d4f959dc05ca4f41ef872a49d123195494b16440e16ebcc5edb31a7