Analysis Overview
SHA256
03201982c09f0b8d7e4fb849a882277521e55b6b52e1562c6d19252b9635e09b
Threat Level: Known bad
The file cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe.zip was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-31 14:18
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-31 14:18
Reported
2023-10-31 15:01
Platform
win7-20231020-en
Max time kernel
162s
Max time network
168s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 1c4441f4750066933b70e2331ddaec2bed0e7b01772d8092f8e72f54882b08521245f2b97f81d009fc5d0080c69f7af300a9fd8b73041d9d05c71c9daf019d500123802d | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953d7c1e4f34253b26b | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe"
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 1df4d0d4ddc68e849abcc2a8cf9a3690 |
| SHA1 | e64da7d12adc5517fa31b2aa5cf6b0544cefb831 |
| SHA256 | b2b559142440c8710fc5e6935bd78fcbe55096bf93d367639ad80d63ab8d1eb1 |
| SHA512 | c3120afebee7e3f9d488c640898e6bf107a4765fe7e4d671787dc4e2523c65bf39b33fbe10ed10e3fda17c5476a1fdff7f560207f50f88e012c7678dbe31c6ce |
C:\ProgramData\AMMYY\hr3
| MD5 | c5f7b233ac9112ec289fbfc4f701dcdb |
| SHA1 | 9eb9a92f4d749914ad3fb787cdddca2355b01e7f |
| SHA256 | 0cd7888c0aef389fcfbdd54a4ff973e79f59b4b1fe046815fdaa8f9fd04f7eac |
| SHA512 | 266feac437506b95b8525e0b9c478741186134ad68ed18b8ab826682aaae0bf7ceb3781ca2fdc373e6fdacf1b1825929f4398ea010629ba8d16a9015c217774e |
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-31 14:18
Reported
2023-10-31 15:00
Platform
win10v2004-20231025-en
Max time kernel
152s
Max time network
154s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = a2e8b074c8e70be3b522ade214765359642bb41ecfc7e26bdc1513874da7b621c7dc3f9b67d26a5f50e6bd9d7434dd6dc3878add096332114ab5e0e1e71b0a5b1d24f0b8 | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253fa220c904253b26b | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe"
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe
"C:\Users\Admin\AppData\Local\Temp\cb08d5622b147d7c13ddea2da4462af62030a473e48188f1e0bfd5d7480fbfad.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.179.89.13.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr3
| MD5 | 5ba93ce2ddb0c34aa434a4bb69430fc8 |
| SHA1 | da4d026eadeb951aed931a500111e87db27eb360 |
| SHA256 | 35d45488adc14976fe4e2ac8e4399bb166da01b13b6ee6fce20d94f33e759d18 |
| SHA512 | 5aa7bb06eaa79f6525fa254e6d1e9a7edd66c15253cbf060e86c1e0075e2117d0a918dc541e5cf05a5bdc786702fc72cba7d762f9249421e57301ed897893917 |
C:\ProgramData\AMMYY\hr
| MD5 | aebb964c3cd9573a043196bb2dd56466 |
| SHA1 | f4e807daca45ecd6840fdae90cd25a4640942d39 |
| SHA256 | b0b58546206224124426cd4a5bfbcfb99bcc11120fe34149583d1b20e81988fe |
| SHA512 | ddd86d67e703c296cbf30a7909dba363098b7710f39bddbb5615a480fed0898f422bec641d7da43df76115c7ca5c28e4fc1d6dfb990e0638aeafea5f50d29f4e |