Analysis Overview
SHA256
3727d712e619a7c1de57a4987614cc11f08cdcf9ddb6d798a52b30b7f3ddfdf4
Threat Level: Known bad
The file f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe.zip was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Unsigned PE
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 14:04
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 14:04
Reported
2023-10-31 14:31
Platform
win7-20231020-en
Max time kernel
158s
Max time network
161s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953579f169e4e53b26b | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a3dd542fa70e2fce5ac79663b7a493a662260705b082e6c206d7b330082fe7d2d35104d1123ee40873c51a2448bfc541c261ca2c9b2e4269b8406cc41acfecc31d779d5e | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4b1262396ed78b0aee884df3c46b46f0 |
| SHA1 | 1eca767c92e65da3f72fed57bf44be41906b62b0 |
| SHA256 | 3b916abde3f50bdc3dc54191f6955f84889d922b2d27f52acc9c0a407817fa67 |
| SHA512 | 62d368c439209db7fdba6336d88809ca7a3368e5e5f8da54ed1e2c4c93662ae5bde2935daebd8707b767c1fabaf29a5ba08b450a96225a8afaf19f5bc155f8eb |
C:\ProgramData\AMMYY\hr
| MD5 | 2a8dbfca7e7fccf3dd7d995547a16fb1 |
| SHA1 | f5cd282770810038d8f97824f2df2f35492f506f |
| SHA256 | 1566ac51d19d95f227f2ec73f564d5a4f69ac8cfad3322af697c49cedd1f4432 |
| SHA512 | a1c6ffce16dd357351826728ffed4563fc1c595515b0f8662b0daa76435affa5143d9c437a6a382522b4bbc0f31c33a425a1145ac84dbf122597228f0faae9e2 |
C:\ProgramData\AMMYY\hr3
| MD5 | 4e6b28ba102a5fd80e6355bf966cd41a |
| SHA1 | e4ee4d83f38a448eb5d42e9aa2710c7986a07e83 |
| SHA256 | b594678f11e2bccb3511848cb53ebafbfb55a009e72600186731e6e60a143930 |
| SHA512 | 496be978fbb243dbeec765c9de4fdebe0bec81aa7b501a7865d984394d4ef48f433a495dcf5bff258b0f64488941d7c6652b157782f952d14aa670dc518f090b |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 14:04
Reported
2023-10-31 14:32
Platform
win10v2004-20231023-en
Max time kernel
161s
Max time network
160s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552533471d7e74e53b26b | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 23525c86b6bc7f5411dad6484656c819bf6432c12dde3e5eb0edf9ed8d6f44ca43e75b5daa6d4edb778f0ec9f69b583c3d474635e9b8bfd483fd9954774e262d08d8224c | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe
"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4b1262396ed78b0aee884df3c46b46f0 |
| SHA1 | 1eca767c92e65da3f72fed57bf44be41906b62b0 |
| SHA256 | 3b916abde3f50bdc3dc54191f6955f84889d922b2d27f52acc9c0a407817fa67 |
| SHA512 | 62d368c439209db7fdba6336d88809ca7a3368e5e5f8da54ed1e2c4c93662ae5bde2935daebd8707b767c1fabaf29a5ba08b450a96225a8afaf19f5bc155f8eb |
C:\ProgramData\AMMYY\hr
| MD5 | c9c74efe3c7fe90d1868e617a20b7176 |
| SHA1 | 730de0dd805ce28b57cb5fdb409a9845294cf6f0 |
| SHA256 | 4c49b0b5f69ea7ccb12b8703b43d6ee2fa3af4da53a472c84bbb76bd677c3692 |
| SHA512 | 738bf5c51e823c251a9cb5cf09de74c9b20dac194fc40e8f430dc6e066fc9e9c74e79efc09289c9a77b07485a2b94667ff543fb1cc9d12b512fd19dd9285d902 |
C:\ProgramData\AMMYY\hr3
| MD5 | 6d097b256f5fd1ff28671ecee11de775 |
| SHA1 | 620e416e8519422a368663ad4d933ea78817b2d8 |
| SHA256 | 1d0162cb1c2491a1df90a898d141c97aa457eda6c41ddbf98cfcd8fb120f1574 |
| SHA512 | dcbe4664e21ff13eaa9c18558d84fbe5bb135c86efabef7532bcee3053e3fb79b74d9b44e88b9e3220303281d179f25a372513ae0fd5090bd1ae682f2493c390 |