Analysis Overview
SHA256
89fc5056c741faef49c38de26bea0c307700df140469ad646ae02df26f1d4588
Threat Level: Known bad
The file 1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe.zip was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
AmmyyAdmin payload
FlawedAmmyy RAT
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:03
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:03
Reported
2023-12-01 15:22
Platform
win7-20231023-en
Max time kernel
152s
Max time network
146s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953e7e1aeff217bb26b | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 90efc0ff547072c67d3b71518cf1a555ea3cecb630aaa79449b04fd707c4b4a3baec3a19c87668b6e93af60c01eabf768126198f4caafa4a70d426a70f18d31fcd1b8050 | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 9a1c21a669efb6b6c9a96272583b196f |
| SHA1 | bdb9ee80ef7b09f46b848dce70a5111155a1959b |
| SHA256 | 0a45777b125386c4a6ee266e77c8726a3aa81405c000d639d564e935c4186012 |
| SHA512 | 36a65e025f5b4b525489252a542eab5bf97e98c9673dfd790659e8cdc310cf66ab0a90c565b101d59226f5da755217ff21b7052731f6f0357f99a9ac34b79608 |
C:\ProgramData\AMMYY\hr3
| MD5 | 4d2acc4bbe724fb6638a2504c6d4be02 |
| SHA1 | f2a403ea30b6ca2546e93e637da9b230597eb07e |
| SHA256 | 2569602d77bb276a61f49e4315209e7d535d536ce9c7bb0312d41d4fdf82130f |
| SHA512 | 73af0d792422b1a3defeae568040ade23bbff42a015b745c3497f2f82cb734cc7cccf89ff5ad3998cd77f68df678aa51979e62022259d2c223980d5624173d7c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:03
Reported
2023-12-01 15:21
Platform
win10v2004-20231127-en
Max time kernel
164s
Max time network
176s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 700f1522349a65dc0076f39c35db9689ebc408fcedeb88a90f95d93c78c0eba4eddb9335eea07a89e1d41f463ee6a3c6b65e8c7d51def241cc0817231d551cd90061b813 | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e15525390ab7e81217bb26b | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1164 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe |
| PID 1164 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe |
| PID 1164 wrote to memory of 4400 | N/A | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe | C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe
"C:\Users\Admin\AppData\Local\Temp\1831806fc27d496f0f9dcfd8402724189deaeb5f8bcf0118f3d6484d0bdee9ed.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.201.50.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | ceb5bccf420a7bc5945e92b68ece50d1 |
| SHA1 | 32423c5ab5da2465b8188df1d9d5d454964aa469 |
| SHA256 | 7d62d359074c913cef13872df590cd6d604ce62a35e743876c80a402a0bf7588 |
| SHA512 | bf2939c327b7d5af37ed6fb6dd849f6fd05a75f84db61430fc17485445458c5dee72b951eb9e098400e4513a1cdb0d14b26eb035de658e8624e8c80d457b5215 |
C:\ProgramData\AMMYY\hr3
| MD5 | 76c2c6723bee9e5b6ce6d576b5fc21a8 |
| SHA1 | ef16f43e90cc63af80d09a30a40e5432b6b08b94 |
| SHA256 | 8d60434d2e3d6bbaf8c5703aa505dfbb280547dc49072b11ab2e150961c945a6 |
| SHA512 | b8bbac246d7400beecdc6f052ab18c2589b62453d363eacc9c2ed0206a0e1ad1bf7d165e5205f3359195ac7b94f10c4d18a7379249c9c8692d60e82f8bc776ef |