Analysis Overview
SHA256
ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Threat Level: Known bad
The file AA_v3.exe was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
FlawedAmmyy RAT
AmmyyAdmin payload
Writes to the Master Boot Record (MBR)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-25 12:04
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-25 12:04
Reported
2023-10-25 12:07
Platform
win10v2004-20231020-en
Max time kernel
91s
Max time network
154s
Command Line
Signatures
FlawedAmmyy RAT
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3440 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 3440 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 3440 wrote to memory of 1672 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | a206dd1f94957b5fae7003c7b605474e |
| SHA1 | 964d0653fe77bf802f02cdc0af6da5eb3112e894 |
| SHA256 | 0a313a840a288d210c997db471bfc8ad873886560812b9ad8e94cce2dfc2efa3 |
| SHA512 | 9545114bfd5426a0c304de538b0bfcca0c71a6b7dae710a9dec44a81e7b33e4abf0e34397ecacfe2b25df1eac3c0cbb510269dd07fd1483545f461a4c8e0dee1 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-25 12:04
Reported
2023-10-25 12:07
Platform
win7-20231020-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
FlawedAmmyy RAT
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2940 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2940 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2940 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
| PID 2940 wrote to memory of 2492 | N/A | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe | C:\Users\Admin\AppData\Local\Temp\AA_v3.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"
Network
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 27a6a354293a808393a408e6ebd5f7b0 |
| SHA1 | d4851e3f7e32fe4ec2cebad4bc7a2d0890f06ee9 |
| SHA256 | 4c53f2b40df7a5c00ff870e714d77f61f44b93cff4702911f10c67c528d81548 |
| SHA512 | 17f0515be9dc60fffbfe4139e880b127e1d07ec67e465712b8577315bc5db831e8653e213e8531b00fb6e17c37b1279afb8f68247c426203090d105c2b42ea57 |