Malware Analysis Report

2024-10-16 05:10

Sample ID 231201-slmnvsbg74
Target b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip
SHA256 42d60a91abadc88d18b8c2bddae09bc2b5d3f0c34759947f3990c9eb0eade31f
Tags
flawedammyy trojan ammyyadmin
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

42d60a91abadc88d18b8c2bddae09bc2b5d3f0c34759947f3990c9eb0eade31f

Threat Level: Known bad

The file b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe.zip was found to be: Known bad.

Malicious Activity Summary

flawedammyy trojan ammyyadmin

FlawedAmmyy RAT

AmmyyAdmin payload

Ammyyadmin family

Checks computer location settings

Drops file in System32 directory

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-01 15:12

Signatures

AmmyyAdmin payload

Description Indicator Process Target
N/A N/A N/A N/A

Ammyyadmin family

ammyyadmin

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 15:12

Reported

2023-12-01 16:37

Platform

win10v2004-20231127-en

Max time kernel

174s

Max time network

184s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 0b157ecc3af6377fad22ade214765359642bb41ecfc7e26bdc1513874da7b621c7dc3f9b67d26a5f50e6bd9d7434dd6dc3878add096332114ab5e0e1e71b282ce1218b0e C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d56736608796d5b5b4e155253a9b2517c3c7bb26b C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.235:443 tcp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 148.129.42.188.in-addr.arpa udp
US 8.8.8.8:53 235.104.243.136.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr

MD5 daa76b824c23a656f3fd100410f6290b
SHA1 d66c5c8a329f04edd5606d50867f73893f6571b5
SHA256 530c3709dd5877993b7077aa98a1926b666be54ec02fa1b280718030fb0d80f9
SHA512 fce627ba3410ce8422a1f56bc1ad23a4fa6df203a6e5efb839b0f5e81a6b8cc8cd018ca9a40bb31b37bf6972527a2e20928d6b634d85233531633559e7a689f9

C:\ProgramData\AMMYY\hr3

MD5 529b2a36e9319ed2448dad94486f6c89
SHA1 2175735df96b1341d7896270a4a1cb33493ad5f8
SHA256 9a595e1d12793ebcc172d9d55f800fa2b78f111152950d9550fead51d8c1d499
SHA512 deb0250339f91a71286f00dbb48d01d12e9fdc04d05f14660ccc5a3a62c4dad39a037fd8bacfe5dd83bcb2078e5afaf8b0261267480b9e1d99fa4f53b37cb1fd

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 15:12

Reported

2023-12-01 16:36

Platform

win7-20231020-en

Max time kernel

151s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Signatures

FlawedAmmyy RAT

trojan flawedammyy

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr = 537d56736608796e5f5e4c10595327829e103c7bb26b C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin\hr3 = 33a40e3a0febe0f5e4a3fb72ca457349c57c4603cb999c2d1d2e552b01357277a62e3d90ae270bb4f65a9e81b73fcfae267c54054217b27074242315675e4ae0fe387751 C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe" -service -lunch

C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe

"C:\Users\Admin\AppData\Local\Temp\b5f65158f6713aa2fb7dd0b09d5f6dd39ae3cd1212ad330da207244d522aee20.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rl.ammyy.com udp
NL 188.42.129.148:80 rl.ammyy.com tcp
DE 136.243.104.242:443 tcp

Files

C:\ProgramData\AMMYY\settings3.bin

MD5 e4f7224ed356915816bebb715326d18a
SHA1 8b441bb4276212b9e774cba75fdbb723cb68af93
SHA256 74378574282fceda54a869e384dffdf9d7d202d5a1937d781fcc501d6115e93c
SHA512 5a7fc84ea39311ef5277aaf3fa0e207b6e095ec236ea877756da7849d38678b8e73a7bd5ea49ae51ae730adc2a56cd79dd0fc3be63bcbb58ae50f9f030140ba2

C:\ProgramData\AMMYY\hr

MD5 66e367bb316b311a35dd46b3457c6023
SHA1 9b55e30d3f6113179d158395de888e21160f3fcc
SHA256 eeebb85254cbabb8b429cdc16f61de8fcba0c0415f0e71d0fc0d91e7963a03ff
SHA512 33ce7d150950c031f728e84a8e74d515a04340bd68ee8a5a8ea2200fd8e82306d8fec64a942ba2c62253ad0b7ef08f7f7005cf19b102a600add51d6364d3d44a

C:\ProgramData\AMMYY\hr3

MD5 922e7ec2506d63449987d9c99068adf4
SHA1 46f88283c607c56fac34469fdb14c6a89d74328e
SHA256 7625f69a8f2286bb3600b75514fa9e01965bf39c46b9da2fb6d9011b01c78028
SHA512 1fe8a81c49bf1b89b2df788585b579a28553a58b82a48caa1ed43141d7870b39c771cf6d1258e4d2a1a72f25ed7741b42052d9e874d94f85e8c28c6bfb8155bd