Malware Analysis Report

2024-10-16 05:10

Sample ID 231031-rdlwxshc8w
Target 349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe.zip
SHA256 9fa6913cdcf9b6aad02d3116c20aa03506891265448fe013bd0b35f7a415a9ef
Tags
flawedammyy trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9fa6913cdcf9b6aad02d3116c20aa03506891265448fe013bd0b35f7a415a9ef

Threat Level: Known bad

The file 349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe.zip was found to be: Known bad.

Malicious Activity Summary

flawedammyy trojan ammyyadmin

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 14:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:30

Platform

win7-20231023-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595367ea224c4e53b26b C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 3434347f2127fe01889ddd17d6fe566033b02d84096b26520031824f491a117fc6f7ab3e453089924a14679bb6e02de8806f0b17d15a3750db14d26e7625cde5e782d89b C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 6910d9160b66c4395f587a279e80f132
SHA1 54949c04c8c0970aa5e2d3fb2912318daab97b98
SHA256 72d44ac6019d486fc1a58334ff8ed692de0a9ed96de3142638c71376ceade87c
SHA512 82967a8bdbad58f2a81d063c84294153dbdd86322d4b6e3631122530dc7f00fd209ed1d2b0683eb60f726fd3d6f93c7615bd1d0d1fa1f5441119d0e5007582b9

C:\ProgramData\AMMYY\hr

MD5 5f54b4197bb18fe0694b3020e8692086
SHA1 bd4136d020282ed014df0459316d387833055e8a
SHA256 20fa1f12f3f991433db843907119e29aed432720cc31b0f83021014dbe8a7710
SHA512 0a7325900ae68608fb2086c9b52c63a6fa186f3bd8b8dc06aee6b4253f15d5e337f9d0eedf77fe590b33170a9a7219d852cf6bd8dc624c8513dfff6f2cdfe980

C:\ProgramData\AMMYY\hr3

MD5 502c7f9432aeb91beeea3de82bf0feb7
SHA1 8457b9cdbd086cdf4aca6ecc637d12935bd77ab7
SHA256 8202bba9da6a169d206806d91f30020f4039646f5a6d7b8a1312e3f26d594561
SHA512 4112f9b5f403500b718c9bbf8bef823a807f17e71e9d903103274504ed6da5adcaf4032b6bf33d6cd32361bd738f80856220927bb1221e475d5f816b8577efd2

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:31

Platform

win10v2004-20231023-en

Max time kernel

165s

Max time network

175s

Command Line

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8e79c33164cc80a9a1aa133b8b233364303ad11280b5d322c764e10c816df0483221f8bda5acbdc15a3398d329ad81b0d738255877e6a78ca9a9dfe978a17dd4221045eb C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253194a0f954e53b26b C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe

"C:\Users\Admin\AppData\Local\Temp\349f7e00ee29b349b00c32318cb9b829b162167702957295712d37ebbb2a7a9a.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 35.197.79.40.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 6910d9160b66c4395f587a279e80f132
SHA1 54949c04c8c0970aa5e2d3fb2912318daab97b98
SHA256 72d44ac6019d486fc1a58334ff8ed692de0a9ed96de3142638c71376ceade87c
SHA512 82967a8bdbad58f2a81d063c84294153dbdd86322d4b6e3631122530dc7f00fd209ed1d2b0683eb60f726fd3d6f93c7615bd1d0d1fa1f5441119d0e5007582b9

C:\ProgramData\AMMYY\hr

MD5 490839bd1283c73156306e849e97e468
SHA1 2e0487b32ad01d897f4f3f68dbdd8c0b769f2967
SHA256 8f32c532d2c7d9ab1c9683009b58db8ad4bcabcab55b2ba9984bda3b579fc1b3
SHA512 db43a0ad0d8d6abd1fa14d62505c3800ef2eddbfd662767482dd917a8e834b15e7dddcf2940166efff69d9c74d65fbc4b61cd12972300177197286ff94f6a5d8

C:\ProgramData\AMMYY\hr3

MD5 244478ebbbcdd699838af15930069568
SHA1 2919c3fc25ccd0def7a297514bd0faf6860328cc
SHA256 a10ed0a0ab849f95a71525b62ac36a9a900f1ee2398a4b40784c196500f0bf29
SHA512 abac53ee3f20a6716be6e96506c33983386bd76acf1461b0b483814df456df25eacbff1676aa3c2a36ea86b1da709775d3aeef5622155b3f0c18a34e422c0895