Analysis Overview
SHA256
7b800d430002dc67514cf719db65691e95e1a42ab82efb4633ea2be93a0c3cc7
Threat Level: Known bad
The file 4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe.zip was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
FlawedAmmyy RAT
AmmyyAdmin payload
Checks computer location settings
Drops file in System32 directory
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:06
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:06
Reported
2023-12-01 15:43
Platform
win7-20231020-en
Max time kernel
152s
Max time network
147s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4cb889e527b0d0781a17f6c2dd968129 |
| SHA1 | 6a6a55cd5604370660f1c1ad1025195169be8978 |
| SHA256 | 2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b |
| SHA512 | 297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f |
C:\ProgramData\AMMYY\hr
| MD5 | c69a96d2f781281f7508e08f1a0f95fb |
| SHA1 | 130383ffa4974d99456f3fc4189e464f3de3e90b |
| SHA256 | 39b10beb0035aa6bb2c424669d333077ff24625223433bf329c20bfdee4dcc5b |
| SHA512 | 74fb6c0aeff16fb81b231081badc3df4f57bca5972e7aa517c8433383f13af1381b121330e48f69de71fcf7f41981d8b99b481c9fda00b9f9529455ec8019ede |
C:\ProgramData\AMMYY\hr3
| MD5 | 642e2d4c03ee37296c610dc53ebeca51 |
| SHA1 | b87401fcca031cece87a3a08477ad72e9f2888e8 |
| SHA256 | 08c9bb8eb0355b0695d04f340434ef83e233e3aadaf22dd3b14e38f08d25ede6 |
| SHA512 | 93049bc9d9c5117401f4a964941f7e0b972d09443bfedbfc1b58fd3ca56533d781f8f381b6de03b6b3830127046653ef23a5aa1479316d6c00747b8cffdc750c |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:06
Reported
2023-12-01 15:45
Platform
win10v2004-20231127-en
Max time kernel
180s
Max time network
191s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ac13f82a257bb26b | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b681a4d2cbd09ebfa20aea6b899c2416402927ed79491d67b694f14440a439d7cd74164206bec0d224f8e5340211dcefdd24f6565b1a5645c9f59b377f525c8594080707 | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1620 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe |
| PID 1620 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe |
| PID 1620 wrote to memory of 1608 | N/A | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe | C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe
"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 4cb889e527b0d0781a17f6c2dd968129 |
| SHA1 | 6a6a55cd5604370660f1c1ad1025195169be8978 |
| SHA256 | 2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b |
| SHA512 | 297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f |
C:\ProgramData\AMMYY\hr
| MD5 | 0b2120b7698920ed6589cf26cf1e2b86 |
| SHA1 | a90ae37993adf7e350550eb9016f5ac32934a50c |
| SHA256 | ec4ace26b69cd181627363077491c2fb3da4ded91182869927d0ba36f47a6f6f |
| SHA512 | 95d2ec4476a8fbdc614aad7bd24de248f956b8ea3b88229fdbeafe398d50ebbba0a3df2e2c95a590ef6dc0189b2b70fa89ba75d164dee114a66a3c1068c3dbbd |
C:\ProgramData\AMMYY\hr3
| MD5 | f0074908c2152dabb33e0b343c794f3c |
| SHA1 | b559b800e90ac03c5619943d05da11c1840e6b07 |
| SHA256 | 6df286c14619dde1c6dc00e088b93d45117eba39074d62aafacdd17a05ab4c1b |
| SHA512 | 8c8ca915137d1ee03b54ca9ad0e9c7ba6bffaaff3663c476169a84fda7db63d3f5f2e34fc278792d600635f3457cbb734f5cfd2c8a4830817a92d9b2525ea8c0 |