Analysis Overview
SHA256
9e80a1754fad2561154d9b12b9302c1455b1bc5b16ee72e99c401af98d7af327
Threat Level: Known bad
The file 9cfbe1b6ef9fb385673a6bd800d0c3c8792701186d3904bb8cb19eb8bfd474e5.zip.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-07 14:15
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-07 14:15
Reported
2023-11-08 04:26
Platform
win7-20231025-en
Max time kernel
151s
Max time network
139s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c1059537742026bb34eb26b | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb2f6a5aa02d7cdf12df07d602286b05739fee5fb4384d3256db0d2423ba2a6de0618e40de28b53e0c3ea2089dcfeea2ef74131531baafa060c92cd05026b603a8b64cec | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2096 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
| PID 2096 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
| PID 2096 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
| PID 2096 wrote to memory of 2124 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 8aa30beeb49ac7c36a22f885e2516202 |
| SHA1 | f53f67c932f0a25069b511dcb939cd19e2da487a |
| SHA256 | 5a6736541998c74227d606ada21d90dd1225e839663e4fa3f8021c02422e1147 |
| SHA512 | e07bfa6c8f50218e0018e5ed8ccb782bef94f767b839e9cb2829c4956e576c22714e86d8d3bd8cd581fc3c36492355ab6eca22d69b5ae1d69ff7fc3a0947489e |
C:\ProgramData\AMMYY\hr3
| MD5 | 5e1e815e3557e095c6ddc7cc07bd9b89 |
| SHA1 | 98e6ac0e5762d564d53dddba68dac1074b5863df |
| SHA256 | 12066c0338e9b22430a83bebea8637cebd8824f73ab6b6cf1523a79009416156 |
| SHA512 | 2999412e3c71722f038ca94b13d18ef95e30002177151a9100d0dca7c58d820f45210a919d5f02e8ef71867750eb23901f7d28ae5bb53a0f0e953d74bb2b2aac |
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-07 14:15
Reported
2023-11-08 04:27
Platform
win10v2004-20231023-en
Max time kernel
181s
Max time network
198s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552530a640e8bb34eb26b | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 8fc8c60767824261e73ce7bde28acf907541e0761d015f385e8033b5e0576a5546977bf7a8ebbe6058f586d29bcc79848be3e890f8dae8ebbd2df2418c17779a9ff5c4fa | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4216 wrote to memory of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
| PID 4216 wrote to memory of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
| PID 4216 wrote to memory of 4572 | N/A | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe | C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe
"C:\Users\Admin\AppData\Local\Temp\Ammyy Admin .exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.52.96.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.178.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | b3c6ac51a0ac121c7cd287f40463bfea |
| SHA1 | ea6066934025a818e034d41fc52290cbdacdc83b |
| SHA256 | 1cf2204c92660857da48eb60e3bfbf3773ca9466b0ee94fe91abe841cf106e43 |
| SHA512 | f9ce3b68104eff1af511d584cf4d143944e752e4f4456f019f56d8b3a16478cc7288650a89760f6fa880b9b063843499f366513bf3bf5c163b56be4f4986d69f |
C:\ProgramData\AMMYY\hr3
| MD5 | a6cab32e9c569a48eef8d12da6a1251d |
| SHA1 | 84b02e5ad0c666082b77a98057f33f0b73c5541a |
| SHA256 | b44f4fb288ce995d8d9f63576815f10a0514e6a10a3127dd30420bc1b1b8074f |
| SHA512 | d60bde7095c7ec7ab4fee8751811ac002c088051ee7a4fe2da63731ed2158a27d3f032b757c01f63f5c2c36f2482227c59f1d4cef64aa08df35e719ac92894f8 |