Analysis Overview
SHA256
a49aabe032039ef2896901d91d75c4de5e23a08af8570c92bab70c3a520cd136
Threat Level: Known bad
The file 4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe.zip was found to be: Known bad.
Malicious Activity Summary
Ammyyadmin family
FlawedAmmyy RAT
AmmyyAdmin payload
Checks computer location settings
Drops file in System32 directory
Suspicious use of FindShellTrayWindow
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:11
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:11
Reported
2023-12-01 16:24
Platform
win7-20231023-en
Max time kernel
151s
Max time network
145s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 57f85bcfac4e8a1396e94e405d2ed844 |
| SHA1 | 8161322daedc73662192632e051560095bdacd7e |
| SHA256 | 6a927cd089f3af580c2f7b6810d492ba2a7fa70e273714fc0350cea9244f4143 |
| SHA512 | 6662b277c6bfe5984e25256b7c3cf13eda55b191f3c36bf88c4f7b30df56940b6a9817fcb44a0afc4b54082b3100100101931eaf1e34345f56a355772bff4f95 |
C:\ProgramData\AMMYY\hr3
| MD5 | d50ffe516e93ed7a5634eccfdbaafe0e |
| SHA1 | 8c75f85eb5c6a4227ea2f82b20a7f2dca49e1170 |
| SHA256 | d0e262d92635ad92b9febd3e2412ef77d4d192ce031467e90521259f6fe4e56f |
| SHA512 | 533dc71ef770d21c713628abfbf17e9620b7626ef45c0392241ef83c0919c2f7867f68c862842a750fda9d2ea8d4d9bfed47811faca5eccfafcc6da04c910b73 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:11
Reported
2023-12-01 16:24
Platform
win10v2004-20231127-en
Max time kernel
164s
Max time network
161s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e1552530110a5883a7bb26b | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 1ab8ed7bf586ef5883b9f7d9160bd06858e90ab1972add1f65df4775bea55fa869c5287f232ff7f1fb87fcee2c9d78ed61e7f28d887582f7729ecfa14467fe2ce39748c4 | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe
"C:\Users\Admin\AppData\Local\Temp\4f648c95b8c832742b8b43f4e70689d0ef0328841744858c75d0a4e98fda5ff8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | 714f2508d4227f74b6adacfef73815d8 |
| SHA1 | a35c8a796e4453c0c09d011284b806d25bdad04c |
| SHA256 | a5579945f23747541c0e80b79e79375d4ca44feafcd425ee9bd9302e35312480 |
| SHA512 | 1171a6eac6d237053815a40c2bcc2df9f4209902d6157777377228f3b618cad50c88a9519444ed5c447cf744e4655272fb42dabb567df85b4b19b1a2f1d086d8 |
C:\ProgramData\AMMYY\hr
| MD5 | 4d95068d30bb667882e94a81c7a2a39b |
| SHA1 | b5429d47a0b92d227bc8d72d6f735420b0463e3a |
| SHA256 | a9938483bafb224d54683a91ca5ec69e3cda4bb38821558cb338d566a1eaf7e0 |
| SHA512 | db88923ab47517bf57e48723136f7600ad554c5f6f3c5437e02d6fa55fc20eb7d2942f6d9fbd7542bd218fb85da52827803ffe097c2f889a99d8f9cdfaa9b572 |
C:\ProgramData\AMMYY\hr3
| MD5 | 0762e3636f8a6a0809b51c7f85e57a92 |
| SHA1 | 66701746d89a7594361619efdb685a653ad99274 |
| SHA256 | 4a78598921d2b63c069b0ee00bce45b383c08184852f8f2af9028ca2ba23c743 |
| SHA512 | 7ed8d6702cb68780744ec7738b695d0e4bf2ec56550020002646cbfa0a95a7e4ac9d34fdddcf4269791d2a75657c2123e49c6fe0bcaa4a2bcc440fa913e18a83 |