Analysis Overview
SHA256
2295b2dd1806bd36a6e392cd7147368c817cf2a03d04ffa2d0577d18fd465204
Threat Level: Known bad
The file 7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe.zip was found to be: Known bad.
Malicious Activity Summary
AmmyyAdmin payload
Ammyyadmin family
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:03
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:03
Reported
2023-12-01 15:20
Platform
win7-20231025-en
Max time kernel
152s
Max time network
168s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953779a63a3217bb26b | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = bb249cff547072c67d3b71518cf1a555ea3cecb630aaa79449b04fd707c4b4a3baec3a19c87668b6e93af60c01eabf768126198f4caafa4a70d426a70f189eb297e199de | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 6a96ee96670ef4bacdb4ec11eb4ac571 |
| SHA1 | a93cffb624b317889468c2ed1145eec0bff1e4d9 |
| SHA256 | 6103a4b5b392766373a83be7eaf1fbf7f2e53b6d2579bce7e7189c10477a0496 |
| SHA512 | bffec1abfa5489f837d17a3651b491c01591f3cc21d27672a6e05c872be63ba527e38d44b0da67f50ef89c04f758e5010b43a9cef4ada3f37af9bcacb52ae1c3 |
C:\ProgramData\AMMYY\hr3
| MD5 | 334b86b448ba57cc53b675725af1e2ae |
| SHA1 | b8592f3ee4a02a9440c482c24aceac152e2283c4 |
| SHA256 | b21bdd50799ac82e98c1df7e68d16f3cecd8743464ea017f0648ab38b7e33277 |
| SHA512 | 892033d019b17580b739359f9363a8de44840dd0a0457e36b498592068c6091bf45a8703002892f12f98b452d00c52c7a3333ae9d7f1f85b17236527bd2484ce |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:03
Reported
2023-12-01 15:20
Platform
win10v2004-20231127-en
Max time kernel
162s
Max time network
167s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253a333f8be217bb26b | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 938ec398ecb9988ab4cd9fbcfeb1ff1cd80dc7c9f8d1ee7154ccba6b5911d3c0a4e100d7d4c6fa72f45577b2dde3c831bfa247faf176b0cb43390433a586d4abc280518c | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4132 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe |
| PID 4132 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe |
| PID 4132 wrote to memory of 2596 | N/A | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe | C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe
"C:\Users\Admin\AppData\Local\Temp\7d437454328721b53ff409836ea78ab37473ebca53bbcaf8268b8274bc6f9404.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.17.178.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 2dcaf8ecadccbeabce8cf6ee57252313 |
| SHA1 | d54a37df9b89c83e3f1436020d0322bc803b3cf1 |
| SHA256 | 5f27342a029bcede51ef9379a9d5e7629ae2332d8a4f00d14c24138d3b7daee5 |
| SHA512 | 7434d7d11a7d0e707d140c545cbe61ae5a3352b8ebd7cd7dcce7399493fdfa46e512f4f4d98b59c5f4ad79fa013fd352152e7487b39f525406a447b1ddc67267 |
C:\ProgramData\AMMYY\hr3
| MD5 | 203ebf56c8490149d7f38c02e426df87 |
| SHA1 | a1f35e4ee06d7274ce80b436a655a624158a7492 |
| SHA256 | 6add4d284950778861d3b96b884cf0814fa1b3945fadfa017ea773652d8c3143 |
| SHA512 | a98722f9c3e1e2e7a25e7b6a28c5408180e22d29a21de33b0cff8dbe6a4a59fcbeeb014fab181012d95ac51e8f68f4a462493bae3a8bee24d31e7688c95c48df |