Malware Analysis Report

2024-10-16 05:13

Sample ID 231025-n8wstshd2w
Target AA_v3.exe
SHA256 ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a
Tags
flawedammyy bootkit persistence trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee573647477339784dcef81024de1be1762833a20e5cc2b89a93e47d05b86b6a

Threat Level: Known bad

The file AA_v3.exe was found to be: Known bad.

Malicious Activity Summary

flawedammyy bootkit persistence trojan ammyyadmin

Ammyyadmin family

FlawedAmmyy RAT

AmmyyAdmin payload

Writes to the Master Boot Record (MBR)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 12:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 12:04

Reported

2023-10-25 12:07

Platform

win10v2004-20231020-en

Max time kernel

91s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 3440 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe
PID 3440 wrote to memory of 1672 N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 a206dd1f94957b5fae7003c7b605474e
SHA1 964d0653fe77bf802f02cdc0af6da5eb3112e894
SHA256 0a313a840a288d210c997db471bfc8ad873886560812b9ad8e94cce2dfc2efa3
SHA512 9545114bfd5426a0c304de538b0bfcca0c71a6b7dae710a9dec44a81e7b33e4abf0e34397ecacfe2b25df1eac3c0cbb510269dd07fd1483545f461a4c8e0dee1

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 12:04

Reported

2023-10-25 12:07

Platform

win7-20231020-en

Max time kernel

122s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\AA_v3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\AA_v3.exe

"C:\Users\Admin\AppData\Local\Temp\AA_v3.exe"

Network

N/A

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 27a6a354293a808393a408e6ebd5f7b0
SHA1 d4851e3f7e32fe4ec2cebad4bc7a2d0890f06ee9
SHA256 4c53f2b40df7a5c00ff870e714d77f61f44b93cff4702911f10c67c528d81548
SHA512 17f0515be9dc60fffbfe4139e880b127e1d07ec67e465712b8577315bc5db831e8653e213e8531b00fb6e17c37b1279afb8f68247c426203090d105c2b42ea57