Malware Analysis Report

2024-10-16 05:10

Sample ID 231107-rkpldsgf9w
Target 9cfbe1b6ef9fb385673a6bd800d0c3c8792701186d3904bb8cb19eb8bfd474e5.zip.zip
SHA256 9e80a1754fad2561154d9b12b9302c1455b1bc5b16ee72e99c401af98d7af327
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9e80a1754fad2561154d9b12b9302c1455b1bc5b16ee72e99c401af98d7af327

Threat Level: Known bad

The file 9cfbe1b6ef9fb385673a6bd800d0c3c8792701186d3904bb8cb19eb8bfd474e5.zip.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

AmmyyAdmin payload

Ammyyadmin family

FlawedAmmyy RAT

Checks computer location settings

Drops file in System32 directory

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-07 14:15

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-07 14:15

Reported

2023-11-08 04:26

Platform

win7-20231025-en

Max time kernel

151s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059537742026bb34eb26b C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb2f6a5aa02d7cdf12df07d602286b05739fee5fb4384d3256db0d2423ba2a6de0618e40de28b53e0c3ea2089dcfeea2ef74131531baafa060c92cd05026b603a8b64cec C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 8aa30beeb49ac7c36a22f885e2516202
SHA1 f53f67c932f0a25069b511dcb939cd19e2da487a
SHA256 5a6736541998c74227d606ada21d90dd1225e839663e4fa3f8021c02422e1147
SHA512 e07bfa6c8f50218e0018e5ed8ccb782bef94f767b839e9cb2829c4956e576c22714e86d8d3bd8cd581fc3c36492355ab6eca22d69b5ae1d69ff7fc3a0947489e

C:\ProgramData\AMMYY\hr3

MD5 5e1e815e3557e095c6ddc7cc07bd9b89
SHA1 98e6ac0e5762d564d53dddba68dac1074b5863df
SHA256 12066c0338e9b22430a83bebea8637cebd8824f73ab6b6cf1523a79009416156
SHA512 2999412e3c71722f038ca94b13d18ef95e30002177151a9100d0dca7c58d820f45210a919d5f02e8ef71867750eb23901f7d28ae5bb53a0f0e953d74bb2b2aac

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-07 14:15

Reported

2023-11-08 04:27

Platform

win10v2004-20231023-en

Max time kernel

181s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552530a640e8bb34eb26b C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8fc8c60767824261e73ce7bde28acf907541e0761d015f385e8033b5e0576a5546977bf7a8ebbe6058f586d29bcc79848be3e890f8dae8ebbd2df2418c17779a9ff5c4fa C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe

"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.52.96.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 714f2508d4227f74b6adacfef73815d8
SHA1 a35c8a796e4453c0c09d011284b806d25bdad04c
SHA256 a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480
SHA512 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8

C:\ProgramData\AMMYY\hr

MD5 b3c6ac51a0ac121c7cd287f40463bfea
SHA1 ea6066934025a818e034d41fc52290cbdacdc83b
SHA256 1cf2204c92660857da48eb60e3bfbf3773ca9466b0ee94fe91abe841cf106e43
SHA512 f9ce3b68104eff1af511d584cf4d143944e752e4f4456f019f56d8b3a16478cc7288650a89760f6fa880b9b063843499f366513bf3bf5c163b56be4f4986d69f

C:\ProgramData\AMMYY\hr3

MD5 a6cab32e9c569a48eef8d12da6a1251d
SHA1 84b02e5ad0c666082b77a98057f33f0b73c5541a
SHA256 b44f4fb288ce995d8d9f63576815f10a0514e6a10a3127dd30420bc1b1b8074f
SHA512 d60bde7095c7ec7ab4fee8751811ac002c088051ee7a4fe2da63731ed2158a27d3f032b757c01f63f5c2c36f2482227c59f1d4cef64aa08df35e719ac92894f8