Malware Analysis Report

2024-10-16 05:10

Sample ID 231201-sg2l8abb83
Target 4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe.zip
SHA256 7b800d430002dc67514cf719db65691e95e1a42ab82efb4633ea2be93a0c3cc7
Tags
ammyyadmin flawedammyy trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b800d430002dc67514cf719db65691e95e1a42ab82efb4633ea2be93a0c3cc7

Threat Level: Known bad

The file 4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe.zip was found to be: Known bad.

Malicious Activity Summary

ammyyadmin flawedammyy trojan

Ammyyadmin family

FlawedAmmyy RAT

AmmyyAdmin payload

Checks computer location settings

Drops file in System32 directory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 15:06

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 15:06

Reported

2023-12-01 15:43

Platform

win7-20231020-en

Max time kernel

152s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796e5f5e4c105953c77dbffd247bb26b C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 07e16b812ece3298ecfc29a10cb8a6dbd45313635e473691bc69e310158a5d89b13bfc3059ad71ffff80888f37e73d04f3b73ee66b8644f05851b1388d8ee49b36280a33 C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4cb889e527b0d0781a17f6c2dd968129
SHA1 6a6a55cd5604370660f1c1ad1025195169be8978
SHA256 2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b
SHA512 297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

C:\ProgramData\AMMYY\hr

MD5 c69a96d2f781281f7508e08f1a0f95fb
SHA1 130383ffa4974d99456f3fc4189e464f3de3e90b
SHA256 39b10beb0035aa6bb2c424669d333077ff24625223433bf329c20bfdee4dcc5b
SHA512 74fb6c0aeff16fb81b231081badc3df4f57bca5972e7aa517c8433383f13af1381b121330e48f69de71fcf7f41981d8b99b481c9fda00b9f9529455ec8019ede

C:\ProgramData\AMMYY\hr3

MD5 642e2d4c03ee37296c610dc53ebeca51
SHA1 b87401fcca031cece87a3a08477ad72e9f2888e8
SHA256 08c9bb8eb0355b0695d04f340434ef83e233e3aadaf22dd3b14e38f08d25ede6
SHA512 93049bc9d9c5117401f4a964941f7e0b972d09443bfedbfc1b58fd3ca56533d781f8f381b6de03b6b3830127046653ef23a5aa1479316d6c00747b8cffdc750c

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 15:06

Reported

2023-12-01 15:45

Platform

win10v2004-20231127-en

Max time kernel

180s

Max time network

191s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253ac13f82a257bb26b C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = b681a4d2cbd09ebfa20aea6b899c2416402927ed79491d67b694f14440a439d7cd74164206bec0d224f8e5340211dcefdd24f6565b1a5645c9f59b377f525c8594080707 C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe

"C:\Users\Admin\AppData\Local\Temp\4731517b198414342891553881913565819509086b8154214462788c740b34c9.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 8.173.189.20.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 4cb889e527b0d0781a17f6c2dd968129
SHA1 6a6a55cd5604370660f1c1ad1025195169be8978
SHA256 2658cd46dd49335e739cafa31ff2ec63f3315b65ecc171a0f7612713d3ac702b
SHA512 297d2c05d2ac950faeb519d3e7bc56ea9d9fcab65b5dfdbba2720be8eddc8b2d5ead3dc7c122b82d6937be6c2d7bb88872dd7b80961138571245fba381daac3f

C:\ProgramData\AMMYY\hr

MD5 0b2120b7698920ed6589cf26cf1e2b86
SHA1 a90ae37993adf7e350550eb9016f5ac32934a50c
SHA256 ec4ace26b69cd181627363077491c2fb3da4ded91182869927d0ba36f47a6f6f
SHA512 95d2ec4476a8fbdc614aad7bd24de248f956b8ea3b88229fdbeafe398d50ebbba0a3df2e2c95a590ef6dc0189b2b70fa89ba75d164dee114a66a3c1068c3dbbd

C:\ProgramData\AMMYY\hr3

MD5 f0074908c2152dabb33e0b343c794f3c
SHA1 b559b800e90ac03c5619943d05da11c1840e6b07
SHA256 6df286c14619dde1c6dc00e088b93d45117eba39074d62aafacdd17a05ab4c1b
SHA512 8c8ca915137d1ee03b54ca9ad0e9c7ba6bffaaff3663c476169a84fda7db63d3f5f2e34fc278792d600635f3457cbb734f5cfd2c8a4830817a92d9b2525ea8c0