Malware Analysis Report

2024-10-16 05:12

Sample ID 231031-rdh52ahc6z
Target b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip
SHA256 0c0009017418b3e533c8713b402fc68cc4bbf68978433e145e087cfaddbf523f
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c0009017418b3e533c8713b402fc68cc4bbf68978433e145e087cfaddbf523f

Threat Level: Known bad

The file b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 14:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:29

Platform

win7-20231020-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953f7e3c0774e53b26b C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 98d6346d05c755707e279daf609677bf68e343023822a084c417e43e7ad97582f99e1d073c4907e176ded32dd32b1203fefbf262767812c0d39da07d3793117fe4b26681 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr

MD5 be306dca2a8c25e8dd850d5ebfe8ea1c
SHA1 4490447f8cb869949aac4bea1d98a6884935cf8d
SHA256 05289d316689e257f5a3c84d10b9d83e28841d97e9d41bc507dbc25dea0f8cac
SHA512 b6e04b27ced686b6dfae2da3a0c8d58890d5d50b9c6a053dd2cc442d28d659545f98f0b33e4b67fd1584d8ac65914015d1711206de08798a1ae98ae2dc8b6cf0

C:\ProgramData\AMMYY\hr3

MD5 7981e49f6379be34ce926908a3bdcf09
SHA1 3a08db5b3d82e97918b6b8583bfa20f1bff5b2aa
SHA256 a508d17919e4ad33e7d077986c87abea8166ceb09716532f938b61e0bdd94de3
SHA512 f4bcf67b866ef2d75ed0455110591be508a5be227401df4bfe44c35715c8ca400acc8585b661e73ec34ae5aba7e594817d7ce9a78f58d5bd3cada0ef2335a66b

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:29

Platform

win10v2004-20231023-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ca47066b4e53b26b C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 4bffcce6425f116508fb4e5aab090abd1e54e4390be6356893c47cc71c400e992df95d615801abfdc6fb9dcda22a18160dfa08c38f9f0d7ab8406cc41acf2d005a9e7891 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr3

MD5 997e6633a8151d797843790b946906cb
SHA1 5100e9f873ee45d45271e58f322e5e1e2122d2a5
SHA256 bf47804fa789f7e65b511296a39e7a78079f1766030fe3df27cfebc11484c375
SHA512 fa7e9ea5fc0170ac83579f9711954f7f19263f6225e266fed76f6ca9d25d3a4b7182a672088120c35180f20d297654159711741ff6eaaa61e088c4f7e20d45b0

C:\ProgramData\AMMYY\hr

MD5 7d8a3b4643febcb8281981dad0c2eb80
SHA1 474059b366d2e71859cef61ad3255b72169a6b5d
SHA256 39f07b0fd9c3cd6ce982a3358718c161d2cddf7cda9166d796e34d62ef6fe2f0
SHA512 ceafa73221d724029319d4aea3c7196397c82d20f7b98129120e179a94d5f8c0d6ca27b2d299cc9b8688cdfa4d343f6f48c60bb9f8029758b1f7654b7346599e