Analysis Overview
SHA256
0c0009017418b3e533c8713b402fc68cc4bbf68978433e145e087cfaddbf523f
Threat Level: Known bad
The file b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 14:04
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 14:04
Reported
2023-10-31 14:29
Platform
win7-20231020-en
Max time kernel
150s
Max time network
143s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f7e3c0774e53b26b | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 98d6346d05c755707e279daf609677bf68e343023822a084c417e43e7ad97582f99e1d073c4907e176ded32dd32b1203fefbf262767812c0d39da07d3793117fe4b26681 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr
| MD5 | be306dca2a8c25e8dd850d5ebfe8ea1c |
| SHA1 | 4490447f8cb869949aac4bea1d98a6884935cf8d |
| SHA256 | 05289d316689e257f5a3c84d10b9d83e28841d97e9d41bc507dbc25dea0f8cac |
| SHA512 | b6e04b27ced686b6dfae2da3a0c8d58890d5d50b9c6a053dd2cc442d28d659545f98f0b33e4b67fd1584d8ac65914015d1711206de08798a1ae98ae2dc8b6cf0 |
C:\ProgramData\AMMYY\hr3
| MD5 | 7981e49f6379be34ce926908a3bdcf09 |
| SHA1 | 3a08db5b3d82e97918b6b8583bfa20f1bff5b2aa |
| SHA256 | a508d17919e4ad33e7d077986c87abea8166ceb09716532f938b61e0bdd94de3 |
| SHA512 | f4bcf67b866ef2d75ed0455110591be508a5be227401df4bfe44c35715c8ca400acc8585b661e73ec34ae5aba7e594817d7ce9a78f58d5bd3cada0ef2335a66b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 14:04
Reported
2023-10-31 14:29
Platform
win10v2004-20231023-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ca47066b4e53b26b | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4bffcce6425f116508fb4e5aab090abd1e54e4390be6356893c47cc71c400e992df95d615801abfdc6fb9dcda22a18160dfa08c38f9f0d7ab8406cc41acf2d005a9e7891 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.65.42.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr3
| MD5 | 997e6633a8151d797843790b946906cb |
| SHA1 | 5100e9f873ee45d45271e58f322e5e1e2122d2a5 |
| SHA256 | bf47804fa789f7e65b511296a39e7a78079f1766030fe3df27cfebc11484c375 |
| SHA512 | fa7e9ea5fc0170ac83579f9711954f7f19263f6225e266fed76f6ca9d25d3a4b7182a672088120c35180f20d297654159711741ff6eaaa61e088c4f7e20d45b0 |
C:\ProgramData\AMMYY\hr
| MD5 | 7d8a3b4643febcb8281981dad0c2eb80 |
| SHA1 | 474059b366d2e71859cef61ad3255b72169a6b5d |
| SHA256 | 39f07b0fd9c3cd6ce982a3358718c161d2cddf7cda9166d796e34d62ef6fe2f0 |
| SHA512 | ceafa73221d724029319d4aea3c7196397c82d20f7b98129120e179a94d5f8c0d6ca27b2d299cc9b8688cdfa4d343f6f48c60bb9f8029758b1f7654b7346599e |