Analysis Overview
SHA256
42d60a91abadc88d18b8c2bddae09bc2b5d3f0c34759947f3990c9eb0eade31f
Threat Level: Known bad
The file b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip was found to be: Known bad.
Malicious Activity Summary
FlawedAmmyy RAT
AmmyyAdmin payload
Ammyyadmin family
Checks computer location settings
Drops file in System32 directory
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-01 15:12
Signatures
AmmyyAdmin payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ammyyadmin family
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-01 15:12
Reported
2023-12-01 16:37
Platform
win10v2004-20231127-en
Max time kernel
174s
Max time network
184s
Command Line
Signatures
FlawedAmmyy RAT
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 0b157ecc3af6377fad22ade214765359642bb41ecfc7e26bdc1513874da7b621c7dc3f9b67d26a5f50e6bd9d7434dd6dc3878add096332114ab5e0e1e71b282ce1218b0e | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253a9b2517c3c7bb26b | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4564 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe |
| PID 4564 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe |
| PID 4564 wrote to memory of 4292 | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.235:443 | tcp | |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.129.42.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 235.104.243.136.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 7.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.78.101.95.in-addr.arpa | udp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr
| MD5 | daa76b824c23a656f3fd100410f6290b |
| SHA1 | d66c5c8a329f04edd5606d50867f73893f6571b5 |
| SHA256 | 530c3709dd5877993b7077aa98a1926b666be54ec02fa1b280718030fb0d80f9 |
| SHA512 | fce627ba3410ce8422a1f56bc1ad23a4fa6df203a6e5efb839b0f5e81a6b8cc8cd018ca9a40bb31b37bf6972527a2e20928d6b634d85233531633559e7a689f9 |
C:\ProgramData\AMMYY\hr3
| MD5 | 529b2a36e9319ed2448dad94486f6c89 |
| SHA1 | 2175735df96b1341d7896270a4a1cb33493ad5f8 |
| SHA256 | 9a595e1d12793ebcc172d9d55f800fa2b78f111152950d9550fead51d8c1d499 |
| SHA512 | deb0250339f91a71286f00dbb48d01d12e9fdc04d05f14660ccc5a3a62c4dad39a037fd8bacfe5dd83bcb2078e5afaf8b0261267480b9e1d99fa4f53b37cb1fd |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-01 15:12
Reported
2023-12-01 16:36
Platform
win7-20231020-en
Max time kernel
151s
Max time network
160s
Command Line
Signatures
FlawedAmmyy RAT
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595327829e103c7bb26b | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 33a40e3a0febe0f5e4a3fb72ca457349c57c4603cb999c2d1d2e552b01357277a62e3d90ae270bb4f65a9e81b73fcfae267c54054217b27074242315675e4ae0fe387751 | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch
C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe
"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | rl.ammyy.com | udp |
| NL | 188.42.129.148:80 | rl.ammyy.com | tcp |
| DE | 136.243.104.242:443 | tcp |
Files
C:\ProgramData\AMMYY\settings3.bin
| MD5 | e4f7224ed356915816bebb715326d18a |
| SHA1 | 8b441bb4276212b9e774cba75fdbb723cb68af93 |
| SHA256 | 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c |
| SHA512 | 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2 |
C:\ProgramData\AMMYY\hr
| MD5 | 66e367bb316b311a35dd46b3457c6023 |
| SHA1 | 9b55e30d3f6113179d158395de888e21160f3fcc |
| SHA256 | eeebb85254cbabb8b429cdc16f61de8fcba0c0415f0e71d0fc0d91e7963a03ff |
| SHA512 | 33ce7d150950c031f728e84a8e74d515a04340bd68ee8a5a8ea2200fd8e82306d8fec64a942ba2c62253ad0b7ef08f7f7005cf19b102a600add51d6364d3d44a |
C:\ProgramData\AMMYY\hr3
| MD5 | 922e7ec2506d63449987d9c99068adf4 |
| SHA1 | 46f88283c607c56fac34469fdb14c6a89d74328e |
| SHA256 | 7625f69a8f2286bb3600b75514fa9e01965bf39c46b9da2fb6d9011b01c78028 |
| SHA512 | 1fe8a81c49bf1b89b2df788585b579a28553a58b82a48caa1ed43141d7870b39c771cf6d1258e4d2a1a72f25ed7741b42052d9e874d94f85e8c28c6bfb8155bd |