Malware Analysis Report

2024-10-16 05:12

Sample ID 231031-rdmhfshc8y
Target f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe.zip
SHA256 3727d712e619a7c1de57a4987614cc11f08cdcf9ddb6d798a52b30b7f3ddfdf4
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3727d712e619a7c1de57a4987614cc11f08cdcf9ddb6d798a52b30b7f3ddfdf4

Threat Level: Known bad

The file f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

Ammyyadmin family

AmmyyAdmin payload

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-31 14:04

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:31

Platform

win7-20231020-en

Max time kernel

158s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953579f169e4e53b26b C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = a3dd542fa70e2fce5ac79663b7a493a662260705b082e6c206d7b330082fe7d2d35104d1123ee40873c51a2448bfc541c261ca2c9b2e4269b8406cc41acfecc31d779d5e C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4b1262396ed78b0aee884df3c46b46f0
SHA1 1eca767c92e65da3f72fed57bf44be41906b62b0
SHA256 3b916abde3f50bdc3dc54191f6955f84889d922b2d27f52acc9c0a407817fa67
SHA512 62d368c439209db7fdba6336d88809ca7a3368e5e5f8da54ed1e2c4c93662ae5bde2935daebd8707b767c1fabaf29a5ba08b450a96225a8afaf19f5bc155f8eb

C:\ProgramData\AMMYY\hr

MD5 2a8dbfca7e7fccf3dd7d995547a16fb1
SHA1 f5cd282770810038d8f97824f2df2f35492f506f
SHA256 1566ac51d19d95f227f2ec73f564d5a4f69ac8cfad3322af697c49cedd1f4432
SHA512 a1c6ffce16dd357351826728ffed4563fc1c595515b0f8662b0daa76435affa5143d9c437a6a382522b4bbc0f31c33a425a1145ac84dbf122597228f0faae9e2

C:\ProgramData\AMMYY\hr3

MD5 4e6b28ba102a5fd80e6355bf966cd41a
SHA1 e4ee4d83f38a448eb5d42e9aa2710c7986a07e83
SHA256 b594678f11e2bccb3511848cb53ebafbfb55a009e72600186731e6e60a143930
SHA512 496be978fbb243dbeec765c9de4fdebe0bec81aa7b501a7865d984394d4ef48f433a495dcf5bff258b0f64488941d7c6652b157782f952d14aa670dc518f090b

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-31 14:04

Reported

2023-10-31 14:32

Platform

win10v2004-20231023-en

Max time kernel

161s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552533471d7e74e53b26b C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 23525c86b6bc7f5411dad6484656c819bf6432c12dde3e5eb0edf9ed8d6f44ca43e75b5daa6d4edb778f0ec9f69b583c3d474635e9b8bfd483fd9954774e262d08d8224c C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe

"C:\Users\Admin\AppData\Local\Temp\f9cc4a11a11e7c2aae54d608186614ed82155132f1a11f340e4179b7313f2bc3.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 254.21.238.8.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4b1262396ed78b0aee884df3c46b46f0
SHA1 1eca767c92e65da3f72fed57bf44be41906b62b0
SHA256 3b916abde3f50bdc3dc54191f6955f84889d922b2d27f52acc9c0a407817fa67
SHA512 62d368c439209db7fdba6336d88809ca7a3368e5e5f8da54ed1e2c4c93662ae5bde2935daebd8707b767c1fabaf29a5ba08b450a96225a8afaf19f5bc155f8eb

C:\ProgramData\AMMYY\hr

MD5 c9c74efe3c7fe90d1868e617a20b7176
SHA1 730de0dd805ce28b57cb5fdb409a9845294cf6f0
SHA256 4c49b0b5f69ea7ccb12b8703b43d6ee2fa3af4da53a472c84bbb76bd677c3692
SHA512 738bf5c51e823c251a9cb5cf09de74c9b20dac194fc40e8f430dc6e066fc9e9c74e79efc09289c9a77b07485a2b94667ff543fb1cc9d12b512fd19dd9285d902

C:\ProgramData\AMMYY\hr3

MD5 6d097b256f5fd1ff28671ecee11de775
SHA1 620e416e8519422a368663ad4d933ea78817b2d8
SHA256 1d0162cb1c2491a1df90a898d141c97aa457eda6c41ddbf98cfcd8fb120f1574
SHA512 dcbe4664e21ff13eaa9c18558d84fbe5bb135c86efabef7532bcee3053e3fb79b74d9b44e88b9e3220303281d179f25a372513ae0fd5090bd1ae682f2493c390